@crossauth/backend 0.0.33 → 0.0.35
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/authenticators/ldapauth.d.ts +6 -0
- package/dist/authenticators/ldapauth.d.ts.map +1 -1
- package/dist/authenticators/oidcauthenticator.d.ts +5 -4
- package/dist/authenticators/oidcauthenticator.d.ts.map +1 -1
- package/dist/index.cjs +1 -1
- package/dist/index.js +371 -369
- package/dist/oauth/authserver.d.ts +1 -0
- package/dist/oauth/authserver.d.ts.map +1 -1
- package/dist/oauth/client.d.ts +8 -0
- package/dist/oauth/client.d.ts.map +1 -1
- package/package.json +2 -2
package/dist/index.js
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
var Ae = Object.defineProperty;
|
|
2
2
|
var Ie = (S, s, e) => s in S ? Ae(S, s, { enumerable: !0, configurable: !0, writable: !0, value: e }) : S[s] = e;
|
|
3
|
-
var
|
|
3
|
+
var d = (S, s, e) => Ie(S, typeof s != "symbol" ? s + "" : s, e);
|
|
4
4
|
import { CrossauthError as o, ErrorCode as l, UserState as E, CrossauthLogger as u, j as f, OAuthFlows as b, KeyPrefix as U, OAuthTokenConsumerBase as Pe, OAuthClientBase as Ke } from "@crossauth/common";
|
|
5
5
|
import { PrismaClient as ce, Prisma as X } from "@prisma/client";
|
|
6
6
|
import ye from "@mbakereth/ldapjs";
|
|
@@ -71,10 +71,10 @@ class L {
|
|
|
71
71
|
* @param options See {@link UserStorageOptions}
|
|
72
72
|
*/
|
|
73
73
|
constructor(s = {}) {
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
74
|
+
d(this, "userEditableFields", []);
|
|
75
|
+
d(this, "adminEditableFields", []);
|
|
76
|
+
d(this, "normalizeUsername", !0);
|
|
77
|
+
d(this, "normalizeEmail", !0);
|
|
78
78
|
m("userEditableFields", g.JsonArray, this, s, "USER_EDITABLE_FIELDS"), m("adminEditableFields", g.JsonArray, this, s, "ADMIN_EDITABLE_FIELDS"), m("normalizeUsername", g.JsonArray, this, s, "NORMALIZE_USERNAME"), m("normalizeEmail", g.JsonArray, this, s, "NORMALIZE_EMAIL");
|
|
79
79
|
}
|
|
80
80
|
/**
|
|
@@ -173,14 +173,14 @@ class G extends L {
|
|
|
173
173
|
*/
|
|
174
174
|
constructor(e = {}) {
|
|
175
175
|
super(e);
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
|
|
183
|
-
|
|
176
|
+
d(this, "userTable", "user");
|
|
177
|
+
d(this, "userSecretsTable", "userSecrets");
|
|
178
|
+
d(this, "idColumn", "id");
|
|
179
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
180
|
+
d(this, "prismaClient");
|
|
181
|
+
d(this, "includes", ["secrets"]);
|
|
182
|
+
d(this, "includesObject", {});
|
|
183
|
+
d(this, "forceIdToNumber", !0);
|
|
184
184
|
m("userTable", g.String, this, e, "USER_TABLE"), m("userSecretsTable", g.String, this, e, "USER_SECRETS_TABLE"), m("idColumn", g.String, this, e, "USER_ID_COLUMN"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), m("includes", g.String, this, e, "USER_INCLUDES"), m("forceIdToNumber", g.String, this, e, "USER_FORCE_ID_TO_NUMBER"), this.includes.forEach((t) => {
|
|
185
185
|
this.includesObject[t] = !0;
|
|
186
186
|
}), e && e.prismaClient ? this.prismaClient = e.prismaClient : this.prismaClient = new ce();
|
|
@@ -279,16 +279,16 @@ class G extends L {
|
|
|
279
279
|
try {
|
|
280
280
|
let { id: r, ...i } = e, { userid: a, ...n } = t ?? {};
|
|
281
281
|
"email" in i && i.email && (i = { email_normalized: G.normalize(i.email), ...i }), "username" in i && i.username && (i = { username_normalized: G.normalize(i.username), ...i }), t ? await this.prismaClient.$transaction(async (c) => {
|
|
282
|
-
let
|
|
282
|
+
let h = {};
|
|
283
283
|
try {
|
|
284
|
-
|
|
284
|
+
h = await c[this.userSecretsTable].findUniqueOrThrow({
|
|
285
285
|
where: {
|
|
286
286
|
[this.useridForeignKeyColumn]: e.id
|
|
287
287
|
}
|
|
288
288
|
});
|
|
289
289
|
} catch {
|
|
290
290
|
}
|
|
291
|
-
let { userid: w, ...y } =
|
|
291
|
+
let { userid: w, ...y } = h ?? {};
|
|
292
292
|
n = { ...y, ...n }, await c[this.userTable].update({
|
|
293
293
|
where: {
|
|
294
294
|
[this.idColumn]: e.id
|
|
@@ -421,10 +421,10 @@ class kt extends x {
|
|
|
421
421
|
*/
|
|
422
422
|
constructor(e = {}) {
|
|
423
423
|
super();
|
|
424
|
-
|
|
425
|
-
|
|
426
|
-
|
|
427
|
-
|
|
424
|
+
d(this, "keyTable", "key");
|
|
425
|
+
d(this, "prismaClient");
|
|
426
|
+
d(this, "transactionTimeout", 5e3);
|
|
427
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
428
428
|
m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.Number, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.keyTable && (this.keyTable = e.keyTable), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
429
429
|
}
|
|
430
430
|
async getKey(e) {
|
|
@@ -468,7 +468,7 @@ class kt extends x {
|
|
|
468
468
|
async saveKey(e, t, r, i, a, n = {}) {
|
|
469
469
|
let c;
|
|
470
470
|
try {
|
|
471
|
-
let
|
|
471
|
+
let h = {
|
|
472
472
|
[this.useridForeignKeyColumn]: e,
|
|
473
473
|
value: t,
|
|
474
474
|
created: r,
|
|
@@ -477,10 +477,10 @@ class kt extends x {
|
|
|
477
477
|
...n
|
|
478
478
|
};
|
|
479
479
|
await this.prismaClient[this.keyTable].create({
|
|
480
|
-
data:
|
|
480
|
+
data: h
|
|
481
481
|
});
|
|
482
|
-
} catch (
|
|
483
|
-
|
|
482
|
+
} catch (h) {
|
|
483
|
+
h instanceof X.PrismaClientKnownRequestError || h instanceof Object && "code" in h ? h.code == "P2002" ? (u.logger.warn(f({ msg: "Attempt to create key that already exists. Stack trace follows" })), u.logger.debug(f({ err: h })), c = new o(l.KeyExists)) : (u.logger.debug(f({ err: h })), c = new o(l.Connection, "Error saving key")) : (u.logger.debug(f({ err: h })), c = new o(l.Connection, "Error saving key"));
|
|
484
484
|
}
|
|
485
485
|
if (c)
|
|
486
486
|
throw c;
|
|
@@ -691,14 +691,14 @@ class Et extends me {
|
|
|
691
691
|
*/
|
|
692
692
|
constructor(e = {}) {
|
|
693
693
|
super();
|
|
694
|
-
|
|
695
|
-
|
|
696
|
-
|
|
697
|
-
|
|
694
|
+
d(this, "clientTable", "oAuthClient");
|
|
695
|
+
d(this, "redirectUriTable", "OAuthClientRedirectUri");
|
|
696
|
+
d(this, "validFlowTable", "OAuthClientValidFlow");
|
|
697
|
+
d(this, "prismaClient");
|
|
698
698
|
// PrismaClient;
|
|
699
|
-
|
|
700
|
-
|
|
701
|
-
|
|
699
|
+
d(this, "transactionTimeout", 5e3);
|
|
700
|
+
d(this, "updateMode", "DeleteAndInsert");
|
|
701
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
702
702
|
m("clientTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), m("redirectUriTable", g.String, this, e, "OAUTH_REDIRECTURI_TABLE"), m("validFlowTable", g.String, this, e, "OAUTH_VALID_FLOW_TABLE"), m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("updateMode", g.String, this, e, "OAUTHCLIENT_UPDATE_MODE"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
703
703
|
}
|
|
704
704
|
async getClientById(e) {
|
|
@@ -717,13 +717,13 @@ class Et extends me {
|
|
|
717
717
|
...n
|
|
718
718
|
},
|
|
719
719
|
include: { redirect_uri: !0, valid_flow: !0 }
|
|
720
|
-
}),
|
|
720
|
+
}), h = c.redirect_uri, w = c.valid_flow;
|
|
721
721
|
let y = c[this.useridForeignKeyColumn];
|
|
722
722
|
return y === null && (y = void 0), this.useridForeignKeyColumn != "userid" && delete c[this.useridForeignKeyColumn], [{
|
|
723
723
|
...c,
|
|
724
724
|
userid: y,
|
|
725
725
|
client_secret: c.client_secret ?? void 0,
|
|
726
|
-
redirect_uri:
|
|
726
|
+
redirect_uri: h.map((p) => p.uri),
|
|
727
727
|
valid_flow: w.map((p) => p.flow)
|
|
728
728
|
}];
|
|
729
729
|
} else {
|
|
@@ -734,10 +734,10 @@ class Et extends me {
|
|
|
734
734
|
},
|
|
735
735
|
include: { redirect_uri: !0, valid_flow: !0 }
|
|
736
736
|
});
|
|
737
|
-
for (let
|
|
738
|
-
const w =
|
|
739
|
-
let p =
|
|
740
|
-
p == null && (p = void 0),
|
|
737
|
+
for (let h of c) {
|
|
738
|
+
const w = h.redirect_uri, y = h.valid_flow;
|
|
739
|
+
let p = h[this.useridForeignKeyColumn];
|
|
740
|
+
p == null && (p = void 0), h.userid = p, this.useridForeignKeyColumn != "userid" && delete h[this.useridForeignKeyColumn], h.client_secret = h.client_secret ?? void 0, h.redirect_uri = w.map((_) => _.uri), h.valid_flow = y.map((_) => _.flow);
|
|
741
741
|
}
|
|
742
742
|
return c;
|
|
743
743
|
}
|
|
@@ -768,50 +768,50 @@ class Et extends me {
|
|
|
768
768
|
const { redirect_uri: r, valid_flow: i, userid: a, ...n } = e;
|
|
769
769
|
let c;
|
|
770
770
|
if (a && (n[this.useridForeignKeyColumn] = a), this.useridForeignKeyColumn != "userid" && delete e[this.useridForeignKeyColumn], r)
|
|
771
|
-
for (let
|
|
772
|
-
if (r[
|
|
771
|
+
for (let h = 0; h < r.length; ++h) {
|
|
772
|
+
if (r[h].includes("#")) throw new o(l.InvalidRedirectUri, "Redirect Uri's may not contain page fragments");
|
|
773
773
|
try {
|
|
774
|
-
new URL(r[
|
|
774
|
+
new URL(r[h]);
|
|
775
775
|
} catch {
|
|
776
|
-
throw new o(l.InvalidRedirectUri, `Redriect uri ${r[
|
|
776
|
+
throw new o(l.InvalidRedirectUri, `Redriect uri ${r[h]} is not valid`);
|
|
777
777
|
}
|
|
778
778
|
}
|
|
779
779
|
if (i) {
|
|
780
|
-
for (let
|
|
781
|
-
if (!b.isValidFlow(i[
|
|
780
|
+
for (let h = 0; h < i.length; ++h)
|
|
781
|
+
if (!b.isValidFlow(i[h])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[h]);
|
|
782
782
|
}
|
|
783
783
|
try {
|
|
784
784
|
c = await t[this.clientTable].create({
|
|
785
785
|
data: n
|
|
786
786
|
});
|
|
787
|
-
} catch (
|
|
788
|
-
throw
|
|
787
|
+
} catch (h) {
|
|
788
|
+
throw h instanceof X.PrismaClientKnownRequestError || h instanceof Object && "code" in h ? h.code == "P2002" ? (u.logger.debug(f({ err: h })), new o(l.ClientExists, "Attempt to create an OAuth client with a client_id that already exists. Maximum attempts failed")) : (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client")) : (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client"));
|
|
789
789
|
}
|
|
790
790
|
if (!c)
|
|
791
791
|
throw u.logger.error(f({ msg: "Attempt to create key that already exists. Stack trace follows" })), new o(l.KeyExists);
|
|
792
792
|
if (r)
|
|
793
793
|
try {
|
|
794
|
-
for (let
|
|
794
|
+
for (let h = 0; h < r.length; ++h)
|
|
795
795
|
await t[this.redirectUriTable].create({
|
|
796
796
|
data: {
|
|
797
797
|
client_id: c.client_id,
|
|
798
|
-
uri: r[
|
|
798
|
+
uri: r[h]
|
|
799
799
|
}
|
|
800
800
|
});
|
|
801
|
-
} catch (
|
|
802
|
-
throw
|
|
801
|
+
} catch (h) {
|
|
802
|
+
throw h instanceof X.PrismaClientKnownRequestError || h instanceof Object && "code" in h ? h.code == "P2002" ? (u.logger.debug(f({ err: h })), new o(l.InvalidRedirectUri, "Attempt to create an OAuth client with a redirect uri that already belongs to another client")) : (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client")) : (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client"));
|
|
803
803
|
}
|
|
804
804
|
if (i)
|
|
805
805
|
try {
|
|
806
|
-
for (let
|
|
806
|
+
for (let h = 0; h < i.length; ++h)
|
|
807
807
|
await t[this.validFlowTable].create({
|
|
808
808
|
data: {
|
|
809
809
|
client_id: c.client_id,
|
|
810
|
-
flow: i[
|
|
810
|
+
flow: i[h]
|
|
811
811
|
}
|
|
812
812
|
});
|
|
813
|
-
} catch (
|
|
814
|
-
throw
|
|
813
|
+
} catch (h) {
|
|
814
|
+
throw h instanceof X.PrismaClientKnownRequestError || h instanceof Object && "code" in h ? (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client")) : (u.logger.debug(f({ err: h })), new o(l.Connection, "Error saving OAuth client"));
|
|
815
815
|
}
|
|
816
816
|
return { ...c, redirect_uri: r, valid_flow: i };
|
|
817
817
|
}
|
|
@@ -954,11 +954,11 @@ class bt extends we {
|
|
|
954
954
|
*/
|
|
955
955
|
constructor(e = {}) {
|
|
956
956
|
super();
|
|
957
|
-
|
|
958
|
-
|
|
957
|
+
d(this, "authorizationTable", "oAuthAuthorization");
|
|
958
|
+
d(this, "prismaClient");
|
|
959
959
|
// PrismaClient;
|
|
960
|
-
|
|
961
|
-
|
|
960
|
+
d(this, "transactionTimeout", 5e3);
|
|
961
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
962
962
|
m("authorizationTable", g.String, this, e, "OAUTH_CLIENT_TABLE"), m("transactionTimeout", g.Number, this, e, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.String, this, e, "USER_ID_FOREIGN_KEY_COLUMN"), e.prismaClient == null ? this.prismaClient = new ce() : this.prismaClient = e.prismaClient;
|
|
963
963
|
}
|
|
964
964
|
async getAuthorizations(e, t) {
|
|
@@ -1018,10 +1018,10 @@ class Ut extends L {
|
|
|
1018
1018
|
*/
|
|
1019
1019
|
constructor(e = {}) {
|
|
1020
1020
|
super(e);
|
|
1021
|
-
|
|
1022
|
-
|
|
1023
|
-
|
|
1024
|
-
|
|
1021
|
+
d(this, "usersByUsername", {});
|
|
1022
|
+
d(this, "usersByEmail", {});
|
|
1023
|
+
d(this, "secretsByUsername", {});
|
|
1024
|
+
d(this, "secretsByEmail", {});
|
|
1025
1025
|
}
|
|
1026
1026
|
/**
|
|
1027
1027
|
* Create a user
|
|
@@ -1163,9 +1163,9 @@ class At extends x {
|
|
|
1163
1163
|
*/
|
|
1164
1164
|
constructor() {
|
|
1165
1165
|
super();
|
|
1166
|
-
|
|
1167
|
-
|
|
1168
|
-
|
|
1166
|
+
d(this, "keys", {});
|
|
1167
|
+
d(this, "keysByUserId", {});
|
|
1168
|
+
d(this, "nonUserKeys", []);
|
|
1169
1169
|
}
|
|
1170
1170
|
/**
|
|
1171
1171
|
* Returns the matching key recortd, with additional, or throws an exception.
|
|
@@ -1239,8 +1239,8 @@ class At extends x {
|
|
|
1239
1239
|
for (let i = 0; i < r.length; ++i) {
|
|
1240
1240
|
let a = !0, n = 0;
|
|
1241
1241
|
const c = r[i];
|
|
1242
|
-
for (let
|
|
1243
|
-
if (
|
|
1242
|
+
for (let h in e)
|
|
1243
|
+
if (h in c && c[h] != e[h]) {
|
|
1244
1244
|
a = !1, n = i;
|
|
1245
1245
|
break;
|
|
1246
1246
|
}
|
|
@@ -1316,8 +1316,8 @@ class It extends me {
|
|
|
1316
1316
|
*/
|
|
1317
1317
|
constructor(e = {}) {
|
|
1318
1318
|
super();
|
|
1319
|
-
|
|
1320
|
-
|
|
1319
|
+
d(this, "clients", {});
|
|
1320
|
+
d(this, "clientsByName", {});
|
|
1321
1321
|
}
|
|
1322
1322
|
/**
|
|
1323
1323
|
* Returns the matching client record or throws an exception.
|
|
@@ -1407,8 +1407,8 @@ class Pt extends we {
|
|
|
1407
1407
|
*/
|
|
1408
1408
|
constructor(e = {}) {
|
|
1409
1409
|
super();
|
|
1410
|
-
|
|
1411
|
-
|
|
1410
|
+
d(this, "byClientAndUser", {});
|
|
1411
|
+
d(this, "byClient", {});
|
|
1412
1412
|
}
|
|
1413
1413
|
async getAuthorizations(e, t) {
|
|
1414
1414
|
if (t) {
|
|
@@ -1447,11 +1447,11 @@ class oe extends L {
|
|
|
1447
1447
|
*/
|
|
1448
1448
|
constructor(e, t = {}) {
|
|
1449
1449
|
super(t);
|
|
1450
|
-
|
|
1451
|
-
|
|
1452
|
-
|
|
1453
|
-
|
|
1454
|
-
|
|
1450
|
+
d(this, "localStorage");
|
|
1451
|
+
d(this, "ldapUrls", []);
|
|
1452
|
+
d(this, "ldapUserSearchBase", "");
|
|
1453
|
+
d(this, "ldapUsernameAttribute", "cn");
|
|
1454
|
+
d(this, "createUserFn", $e);
|
|
1455
1455
|
this.localStorage = e, m("ldapUrls", g.JsonArray, this, t, "LDAP_URL", !0), m("ldapUserSearchBase", g.String, this, t, "LDAP_USER_SEARCH_BASE"), m("ldapUsernameAttribute", g.String, this, t, "LDAP_USENAME_ATTRIBUTE"), t.createUserFn && (this.createUserFn = t.createUserFn);
|
|
1456
1456
|
}
|
|
1457
1457
|
/**
|
|
@@ -1590,17 +1590,17 @@ class oe extends L {
|
|
|
1590
1590
|
r && (n.attributes = r), e.search(
|
|
1591
1591
|
t,
|
|
1592
1592
|
n,
|
|
1593
|
-
function(c,
|
|
1593
|
+
function(c, h) {
|
|
1594
1594
|
let w;
|
|
1595
1595
|
if (c) {
|
|
1596
1596
|
a(c), e.unbind();
|
|
1597
1597
|
return;
|
|
1598
1598
|
}
|
|
1599
|
-
|
|
1599
|
+
h.on("searchEntry", function(y) {
|
|
1600
1600
|
w = oe.searchResultToUser(y.pojo);
|
|
1601
|
-
}),
|
|
1601
|
+
}), h.on("error", function(y) {
|
|
1602
1602
|
a(y), e.unbind();
|
|
1603
|
-
}),
|
|
1603
|
+
}), h.on("end", function(y) {
|
|
1604
1604
|
y.status != 0 ? a(new o(l.Connection, "LDAP onnection failed")) : w ? i(w) : a(new o(l.UsernameOrPasswordInvalid)), e.unbind();
|
|
1605
1605
|
});
|
|
1606
1606
|
}
|
|
@@ -1638,12 +1638,12 @@ class Y extends L {
|
|
|
1638
1638
|
*/
|
|
1639
1639
|
constructor(e, t = {}) {
|
|
1640
1640
|
super(t);
|
|
1641
|
-
|
|
1642
|
-
|
|
1643
|
-
|
|
1644
|
-
|
|
1645
|
-
|
|
1646
|
-
|
|
1641
|
+
d(this, "userTable", "users");
|
|
1642
|
+
d(this, "userSecretsTable", "usersecrets");
|
|
1643
|
+
d(this, "idColumn", "id");
|
|
1644
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
1645
|
+
d(this, "forceIdToNumber", !0);
|
|
1646
|
+
d(this, "dbPool");
|
|
1647
1647
|
this.dbPool = e, m("userTable", g.String, this, t, "USER_TABLE"), m("userSecretsTable", g.String, this, t, "USER_SECRETS_TABLE"), m("idColumn", g.String, this, t, "USER_ID_COLUMN"), m("forceIdToNumber", g.String, this, t, "USER_FORCE_ID_TO_NUMBER"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN");
|
|
1648
1648
|
}
|
|
1649
1649
|
/**
|
|
@@ -1696,7 +1696,7 @@ class Y extends L {
|
|
|
1696
1696
|
let i = await this.dbPool.connect(), a, n, c = this.dbPool.parameters();
|
|
1697
1697
|
try {
|
|
1698
1698
|
await i.startTransaction();
|
|
1699
|
-
let
|
|
1699
|
+
let h = `select * from ${this.userTable} where ${e} = ` + c.nextParameter(), w = await i.execute(h, [t]);
|
|
1700
1700
|
if (w.length == 0)
|
|
1701
1701
|
throw new o(l.UserNotExist);
|
|
1702
1702
|
let y, p, _;
|
|
@@ -1712,7 +1712,7 @@ class Y extends L {
|
|
|
1712
1712
|
username: p,
|
|
1713
1713
|
state: _
|
|
1714
1714
|
}, !a) throw new o(l.UserNotExist);
|
|
1715
|
-
if (c = this.dbPool.parameters(),
|
|
1715
|
+
if (c = this.dbPool.parameters(), h = `select * from ${this.userSecretsTable} where ${this.useridForeignKeyColumn} = ` + c.nextParameter(), w = await i.execute(h, [a.id]), w.length == 0)
|
|
1716
1716
|
throw new o(l.UserNotExist);
|
|
1717
1717
|
if (w.length > 0 ? n = { userid: a.id, ...w[0] } : n = { userid: a.id }, !n) throw new o(l.UserNotExist);
|
|
1718
1718
|
if (this.useridForeignKeyColumn != "userid" && this.useridForeignKeyColumn in n && delete n[this.useridForeignKeyColumn], await i.commit(), (r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.awaitingTwoFactorSetup)
|
|
@@ -1728,8 +1728,8 @@ class Y extends L {
|
|
|
1728
1728
|
if ((r == null ? void 0 : r.skipActiveCheck) != !0 && a.state == E.factor2ResetNeeded)
|
|
1729
1729
|
throw u.logger.debug(f({ msg: "2FA reset required" })), new o(l.Factor2ResetNeeded);
|
|
1730
1730
|
return { user: a, secrets: n };
|
|
1731
|
-
} catch (
|
|
1732
|
-
throw await i.rollback(),
|
|
1731
|
+
} catch (h) {
|
|
1732
|
+
throw await i.rollback(), h;
|
|
1733
1733
|
} finally {
|
|
1734
1734
|
i.release();
|
|
1735
1735
|
}
|
|
@@ -1742,8 +1742,8 @@ class Y extends L {
|
|
|
1742
1742
|
*/
|
|
1743
1743
|
async getUsers(e, t) {
|
|
1744
1744
|
const r = await this.dbPool.connect();
|
|
1745
|
-
let i = [], a = [], n = "", c = "",
|
|
1746
|
-
e && (c = "OFFSET " +
|
|
1745
|
+
let i = [], a = [], n = "", c = "", h = this.dbPool.parameters();
|
|
1746
|
+
e && (c = "OFFSET " + h.nextParameter()), t && (a.push(t), n = "LIMIT " + h.nextParameter());
|
|
1747
1747
|
try {
|
|
1748
1748
|
let w = `select * from ${this.userTable} ${n} ${c} order by username_normalized asc`, y = await r.execute(w, a);
|
|
1749
1749
|
if (y.length == 0)
|
|
@@ -1789,7 +1789,7 @@ class Y extends L {
|
|
|
1789
1789
|
let i = this.dbPool.parameters(), a = `select * from ${this.userTable} where ${this.idColumn} = ` + i.nextParameter();
|
|
1790
1790
|
if ((await r.execute(a, [e.id])).length == 0)
|
|
1791
1791
|
throw new o(l.UserNotExist);
|
|
1792
|
-
let c = { ...e },
|
|
1792
|
+
let c = { ...e }, h = t ? { ...t } : void 0;
|
|
1793
1793
|
"email" in c && c.email && (c = { email_normalized: this.normalizeEmail ? Y.normalize(c.email) : c.email, ...c }), "username" in c && c.username && (c = { username_normalized: this.normalizeUsername ? Y.normalize(c.username) : c.username, ...c }), i = this.dbPool.parameters();
|
|
1794
1794
|
let w = [], y = [];
|
|
1795
1795
|
for (let p in c)
|
|
@@ -1802,8 +1802,8 @@ class Y extends L {
|
|
|
1802
1802
|
}
|
|
1803
1803
|
if (t) {
|
|
1804
1804
|
w = [], y = [], i = this.dbPool.parameters();
|
|
1805
|
-
for (let p in
|
|
1806
|
-
|
|
1805
|
+
for (let p in h)
|
|
1806
|
+
h[p] != null && p != "userid" && (w.push(p + "= " + i.nextParameter()), y.push(h[p]));
|
|
1807
1807
|
if (w.length > 0) {
|
|
1808
1808
|
let p = w.join(", ");
|
|
1809
1809
|
y.push(e.id);
|
|
@@ -1836,25 +1836,25 @@ class Y extends L {
|
|
|
1836
1836
|
await r.startTransaction();
|
|
1837
1837
|
let a = { ...e }, n = t ? { ...t } : void 0;
|
|
1838
1838
|
"email" in a && a.email && (a = { email_normalized: this.normalizeEmail ? Y.normalize(a.email) : a.email, ...a }), "username" in a && a.username && (a = { username_normalized: this.normalizeUsername ? Y.normalize(a.username) : a.username, ...a });
|
|
1839
|
-
let c = [],
|
|
1839
|
+
let c = [], h = [], w = [];
|
|
1840
1840
|
const y = this.dbPool.parameters();
|
|
1841
1841
|
for (let _ in a)
|
|
1842
|
-
a[_] != null && _ != "id" && (c.push(_),
|
|
1842
|
+
a[_] != null && _ != "id" && (c.push(_), h.push(y.nextParameter()), w.push(a[_]));
|
|
1843
1843
|
if (c.length > 0) {
|
|
1844
|
-
let _ = c.join(", "), C =
|
|
1844
|
+
let _ = c.join(", "), C = h.join(", ");
|
|
1845
1845
|
const T = `insert into ${this.userTable} (${_}) values (${C}) returning ${this.idColumn}`, k = await r.execute(T, w);
|
|
1846
1846
|
if (k.length == 0 || !k[0][this.idColumn]) throw new o(l.Connection, "Couldn't create user");
|
|
1847
1847
|
i = k[0][this.idColumn];
|
|
1848
1848
|
}
|
|
1849
1849
|
if (!i) throw new o(l.Connection, "Couldn't create user");
|
|
1850
1850
|
if (t) {
|
|
1851
|
-
c = [],
|
|
1851
|
+
c = [], h = [], w = [];
|
|
1852
1852
|
const _ = this.dbPool.parameters();
|
|
1853
|
-
c.push("userid"),
|
|
1853
|
+
c.push("userid"), h.push(_.nextParameter()), w.push(i);
|
|
1854
1854
|
for (let C in n)
|
|
1855
|
-
n[C] != null && C != "userid" && (c.push(C),
|
|
1855
|
+
n[C] != null && C != "userid" && (c.push(C), h.push(_.nextParameter()), w.push(n[C]));
|
|
1856
1856
|
if (c.length > 0) {
|
|
1857
|
-
let C = c.join(", "), T =
|
|
1857
|
+
let C = c.join(", "), T = h.join(", ");
|
|
1858
1858
|
const k = `insert into ${this.userSecretsTable} (${C}) values (${T})`;
|
|
1859
1859
|
u.logger.debug(f({ msg: "Executing query", query: k })), await r.execute(k, w);
|
|
1860
1860
|
}
|
|
@@ -1912,9 +1912,9 @@ class qe extends x {
|
|
|
1912
1912
|
*/
|
|
1913
1913
|
constructor(e, t = {}) {
|
|
1914
1914
|
super();
|
|
1915
|
-
|
|
1916
|
-
|
|
1917
|
-
|
|
1915
|
+
d(this, "keyTable", "keys");
|
|
1916
|
+
d(this, "dbPool");
|
|
1917
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
1918
1918
|
m("transactionTimeout", g.Number, this, t, "TRANSACTION_TIMEOUT"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), t.keyTable && (this.keyTable = t.keyTable), this.dbPool = e;
|
|
1919
1919
|
}
|
|
1920
1920
|
async getKey(e) {
|
|
@@ -1962,13 +1962,13 @@ class qe extends x {
|
|
|
1962
1962
|
* @throws {@link @crossauth/common!CrossauthError } if the key could not be stored.
|
|
1963
1963
|
*/
|
|
1964
1964
|
async saveKey(e, t, r, i, a, n = {}) {
|
|
1965
|
-
let c,
|
|
1965
|
+
let c, h = [this.useridForeignKeyColumn, "value", "created", "expires", "data"], w = this.dbPool.parameters(), y = [];
|
|
1966
1966
|
for (let k = 0; k < 5; ++k)
|
|
1967
1967
|
y.push(w.nextParameter());
|
|
1968
1968
|
let p = [e ?? null, t, r, i ?? null, a ?? ""];
|
|
1969
1969
|
for (let k in n)
|
|
1970
|
-
|
|
1971
|
-
let _ =
|
|
1970
|
+
h.push(k), y.push(w.nextParameter()), p.push(n[k]);
|
|
1971
|
+
let _ = h.join(", "), C = y.join(", ");
|
|
1972
1972
|
const T = await this.dbPool.connect();
|
|
1973
1973
|
try {
|
|
1974
1974
|
const k = `insert into ${this.keyTable} (${_}) values (${C})`;
|
|
@@ -1993,15 +1993,15 @@ class qe extends x {
|
|
|
1993
1993
|
async deleteAllForUser(e, t, r) {
|
|
1994
1994
|
const i = await this.dbPool.connect();
|
|
1995
1995
|
try {
|
|
1996
|
-
let a, n = [], c = "",
|
|
1996
|
+
let a, n = [], c = "", h = this.dbPool.parameters();
|
|
1997
1997
|
if (e) {
|
|
1998
|
-
const w =
|
|
1998
|
+
const w = h.nextParameter(), y = h.nextParameter();
|
|
1999
1999
|
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${w} and value like ${y} `, n = [e];
|
|
2000
2000
|
} else {
|
|
2001
|
-
const w =
|
|
2001
|
+
const w = h.nextParameter();
|
|
2002
2002
|
a = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like ${w}`;
|
|
2003
2003
|
}
|
|
2004
|
-
n.push(t + "%"), r && (c = "and value != " +
|
|
2004
|
+
n.push(t + "%"), r && (c = "and value != " + h.nextParameter(), n.push(r)), a += " " + c, u.logger.debug(f({ msg: "Executing query", query: a })), await i.execute(a, n);
|
|
2005
2005
|
} catch (a) {
|
|
2006
2006
|
throw a;
|
|
2007
2007
|
} finally {
|
|
@@ -2013,9 +2013,9 @@ class qe extends x {
|
|
|
2013
2013
|
try {
|
|
2014
2014
|
let r = [], i = [];
|
|
2015
2015
|
const a = this.dbPool.parameters();
|
|
2016
|
-
for (let
|
|
2017
|
-
let w =
|
|
2018
|
-
e[
|
|
2016
|
+
for (let h in e) {
|
|
2017
|
+
let w = h == "userid" ? this.useridForeignKeyColumn : h;
|
|
2018
|
+
e[h] == null ? r.push(w + " is null") : (r.push(w + " = " + a.nextParameter()), i.push(e[h]));
|
|
2019
2019
|
}
|
|
2020
2020
|
let n = r.join(" and "), c = `delete from ${this.keyTable} where ${n}`;
|
|
2021
2021
|
await t.execute(c, i);
|
|
@@ -2031,8 +2031,8 @@ class qe extends x {
|
|
|
2031
2031
|
let i, a = [];
|
|
2032
2032
|
const n = this.dbPool.parameters();
|
|
2033
2033
|
if (e) {
|
|
2034
|
-
let c = n.nextParameter(),
|
|
2035
|
-
i = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${c} and value like ${
|
|
2034
|
+
let c = n.nextParameter(), h = n.nextParameter();
|
|
2035
|
+
i = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} = ${c} and value like ${h}`, a.push(e);
|
|
2036
2036
|
} else {
|
|
2037
2037
|
let c = n.nextParameter();
|
|
2038
2038
|
i = `delete from ${this.keyTable} where ${this.useridForeignKeyColumn} is null and value like ${c}`;
|
|
@@ -2053,8 +2053,8 @@ class qe extends x {
|
|
|
2053
2053
|
let c = await t.execute(i, a);
|
|
2054
2054
|
if (c.length == 0)
|
|
2055
2055
|
return [];
|
|
2056
|
-
for (let
|
|
2057
|
-
let w = this.makeKey(
|
|
2056
|
+
for (let h of c) {
|
|
2057
|
+
let w = this.makeKey(h);
|
|
2058
2058
|
this.useridForeignKeyColumn != "userid" && (w.userid = w[this.useridForeignKeyColumn], delete w[this.useridForeignKeyColumn]), r.push(w);
|
|
2059
2059
|
}
|
|
2060
2060
|
return r;
|
|
@@ -2086,12 +2086,12 @@ class qe extends x {
|
|
|
2086
2086
|
delete r.value;
|
|
2087
2087
|
let i = [], a = [], n = this.dbPool.parameters();
|
|
2088
2088
|
for (let c in r) {
|
|
2089
|
-
let
|
|
2090
|
-
r[c] != null && c == "userid" && this.useridForeignKeyColumn != "userid" && (
|
|
2089
|
+
let h = c;
|
|
2090
|
+
r[c] != null && c == "userid" && this.useridForeignKeyColumn != "userid" && (h = this.useridForeignKeyColumn), i.push(c + "= " + n.nextParameter()), a.push(r[h]);
|
|
2091
2091
|
}
|
|
2092
2092
|
if (a.push(t.value), i.length > 0) {
|
|
2093
|
-
let c = i.join(", "),
|
|
2094
|
-
u.logger.debug(f({ msg: "Executing query", query:
|
|
2093
|
+
let c = i.join(", "), h = `update ${this.keyTable} set ${c} where value = ` + n.nextParameter();
|
|
2094
|
+
u.logger.debug(f({ msg: "Executing query", query: h })), await e.execute(h, a);
|
|
2095
2095
|
}
|
|
2096
2096
|
}
|
|
2097
2097
|
/**
|
|
@@ -2162,11 +2162,11 @@ class We extends me {
|
|
|
2162
2162
|
*/
|
|
2163
2163
|
constructor(e, t = {}) {
|
|
2164
2164
|
super();
|
|
2165
|
-
|
|
2166
|
-
|
|
2167
|
-
|
|
2168
|
-
|
|
2169
|
-
|
|
2165
|
+
d(this, "clientTable", "oauthclient");
|
|
2166
|
+
d(this, "redirectUriTable", "oauthclientredirecturi");
|
|
2167
|
+
d(this, "validFlowTable", "oauthclientvalidflow");
|
|
2168
|
+
d(this, "dbPool");
|
|
2169
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
2170
2170
|
m("clientTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), m("redirectUriTable", g.String, this, t, "OAUTH_REDIRECTURI_TABLE"), m("validFlowTable", g.String, this, t, "OAUTH_VALID_FLOW_TABLE"), m("updateMode", g.String, this, t, "OAUTHCLIENT_UPDATE_MODE"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
|
|
2171
2171
|
}
|
|
2172
2172
|
async getClientById(e) {
|
|
@@ -2210,10 +2210,10 @@ class We extends me {
|
|
|
2210
2210
|
};
|
|
2211
2211
|
}
|
|
2212
2212
|
async getClientWithTransaction(e, t, r, i, a, n) {
|
|
2213
|
-
let c = [],
|
|
2214
|
-
t && r && (p = `where c.${t} = ` +
|
|
2213
|
+
let c = [], h = this.dbPool.parameters(), w = [], y = `select c.*, r.uri as uri, null as flow from ${this.clientTable} as c left join ${this.redirectUriTable} r on c.client_id = r.client_id `, p = "";
|
|
2214
|
+
t && r && (p = `where c.${t} = ` + h.nextParameter(), w.push(r)), i !== null && i == null || (p == "" ? p = "where " : p += " and ", i == null ? p += "userid is null" : (p += `${this.useridForeignKeyColumn} = ` + h.nextParameter(), w.push(i)));
|
|
2215
2215
|
let _ = `select c.*, null as uri, f.flow as flow from ${this.clientTable} as c left join ${this.validFlowTable} f on c.client_id = f.client_id `, C = "";
|
|
2216
|
-
t && r && (C = `where c.${t} = ` +
|
|
2216
|
+
t && r && (C = `where c.${t} = ` + h.nextParameter(), w.push(r)), i !== null && i == null || (C == "" ? C = "where " : C += " and ", i == null ? C += "userid is null" : (C += `${this.useridForeignKeyColumn} = ` + h.nextParameter(), w.push(i))), n && (a || (a = 0), a = Number(a), n = Number(n), p == "" ? p = "where " : p += " and ", p += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`, C == "" ? C = "where " : C += " and ", C += ` c.client_id in (select client_id from ${this.clientTable} limit ${n} offset ${a})`), y += p, _ += C;
|
|
2217
2217
|
let T = y + " union " + _ + " order by client_id";
|
|
2218
2218
|
const k = await e.execute(T, w);
|
|
2219
2219
|
let A;
|
|
@@ -2255,12 +2255,12 @@ class We extends me {
|
|
|
2255
2255
|
for (let C = 0; C < i.length; ++C)
|
|
2256
2256
|
if (!b.isValidFlow(i[C])) throw new o(l.InvalidOAuthFlow, "Invalid flow " + i[C]);
|
|
2257
2257
|
}
|
|
2258
|
-
let c = [],
|
|
2258
|
+
let c = [], h = [], w = [], y = this.dbPool.parameters();
|
|
2259
2259
|
try {
|
|
2260
2260
|
for (let C in n)
|
|
2261
|
-
c.push(C),
|
|
2261
|
+
c.push(C), h.push(y.nextParameter()), w.push(n[C]);
|
|
2262
2262
|
if (c.length > 0) {
|
|
2263
|
-
let C = c.join(", "), T =
|
|
2263
|
+
let C = c.join(", "), T = h.join(", ");
|
|
2264
2264
|
const k = `insert into ${this.clientTable} (${C}) values (${T})`;
|
|
2265
2265
|
await e.execute(k, w);
|
|
2266
2266
|
}
|
|
@@ -2341,14 +2341,14 @@ class We extends me {
|
|
|
2341
2341
|
if (!b.isValidFlow(i[T])) throw new o(l.InvalidOAuthFlow, "Redirect Uri's may not contain page fragments");
|
|
2342
2342
|
}
|
|
2343
2343
|
if (!t.client_id) throw new o(l.InvalidClientId, "No client ig given");
|
|
2344
|
-
let { client_id: a, redirect_uri: n, valid_flow: c, ...
|
|
2344
|
+
let { client_id: a, redirect_uri: n, valid_flow: c, ...h } = t;
|
|
2345
2345
|
n || (n = []), c || (c = []);
|
|
2346
2346
|
let w = this.dbPool.parameters(), y = `delete from ${this.redirectUriTable} where client_id = ` + w.nextParameter();
|
|
2347
2347
|
await e.execute(y, [t.client_id]), w = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + w.nextParameter(), await e.execute(y, [t.client_id]);
|
|
2348
2348
|
let p = [], _ = [], C = [];
|
|
2349
2349
|
w = this.dbPool.parameters(), y = `delete from ${this.validFlowTable} where client_id = ` + w.nextParameter();
|
|
2350
|
-
for (let T in
|
|
2351
|
-
p.push(T), _.push(w.nextParameter()), C.push(
|
|
2350
|
+
for (let T in h)
|
|
2351
|
+
p.push(T), _.push(w.nextParameter()), C.push(h[T]);
|
|
2352
2352
|
if (p.length > 0) {
|
|
2353
2353
|
let T = p.join(", "), k = _.join(", ");
|
|
2354
2354
|
y = `update ${this.clientTable} set (${T}) values (${k})`, await e.execute(y, C);
|
|
@@ -2387,9 +2387,9 @@ class Je extends we {
|
|
|
2387
2387
|
*/
|
|
2388
2388
|
constructor(e, t = {}) {
|
|
2389
2389
|
super();
|
|
2390
|
-
|
|
2391
|
-
|
|
2392
|
-
|
|
2390
|
+
d(this, "authorizationTable", "oauthauthorization");
|
|
2391
|
+
d(this, "useridForeignKeyColumn", "userid");
|
|
2392
|
+
d(this, "dbPool");
|
|
2393
2393
|
m("authorizationTable", g.String, this, t, "OAUTH_CLIENT_TABLE"), m("useridForeignKeyColumn", g.String, this, t, "USER_ID_FOREIGN_KEY_COLUMN"), this.dbPool = e;
|
|
2394
2394
|
}
|
|
2395
2395
|
async getAuthorizations(e, t) {
|
|
@@ -2410,8 +2410,8 @@ class Je extends we {
|
|
|
2410
2410
|
await i.startTransaction();
|
|
2411
2411
|
let a = this.dbPool.parameters(), n = [], c = `delete from ${this.authorizationTable} where client_id = ` + a.nextParameter();
|
|
2412
2412
|
n.push(e), t ? (c += ` and ${this.useridForeignKeyColumn} = ` + a.nextParameter(), n.push(t)) : c += ` and ${this.useridForeignKeyColumn} is null`, await i.execute(c, n);
|
|
2413
|
-
for (let
|
|
2414
|
-
a = this.dbPool.parameters(), n = [], c = `insert into ${this.authorizationTable} (client_id, userid, scope) values (` + a.nextParameter() + ", " + a.nextParameter() + ", " + a.nextParameter() + ")", n.push(e), n.push(t), n.push(
|
|
2413
|
+
for (let h of r)
|
|
2414
|
+
a = this.dbPool.parameters(), n = [], c = `insert into ${this.authorizationTable} (client_id, userid, scope) values (` + a.nextParameter() + ", " + a.nextParameter() + ", " + a.nextParameter() + ")", n.push(e), n.push(t), n.push(h), await i.execute(c, n);
|
|
2415
2415
|
await i.commit();
|
|
2416
2416
|
} catch (a) {
|
|
2417
2417
|
throw await i.rollback(), a;
|
|
@@ -2433,7 +2433,7 @@ class Ze {
|
|
|
2433
2433
|
class de extends Ye {
|
|
2434
2434
|
constructor(e) {
|
|
2435
2435
|
super();
|
|
2436
|
-
|
|
2436
|
+
d(this, "pgPool");
|
|
2437
2437
|
this.pgPool = e;
|
|
2438
2438
|
}
|
|
2439
2439
|
async connect() {
|
|
@@ -2447,7 +2447,7 @@ class de extends Ye {
|
|
|
2447
2447
|
class Xe extends Ze {
|
|
2448
2448
|
constructor(e) {
|
|
2449
2449
|
super();
|
|
2450
|
-
|
|
2450
|
+
d(this, "pgClient");
|
|
2451
2451
|
this.pgClient = e;
|
|
2452
2452
|
}
|
|
2453
2453
|
crossauthErrorFromPostgresError(e) {
|
|
@@ -2482,7 +2482,7 @@ class Xe extends Ze {
|
|
|
2482
2482
|
class Qe extends Ge {
|
|
2483
2483
|
constructor() {
|
|
2484
2484
|
super();
|
|
2485
|
-
|
|
2485
|
+
d(this, "nextParam", 1);
|
|
2486
2486
|
}
|
|
2487
2487
|
nextParameter() {
|
|
2488
2488
|
return "$" + this.nextParam++;
|
|
@@ -2535,8 +2535,8 @@ class re {
|
|
|
2535
2535
|
* @param options see {@link AuthenticationOptions}
|
|
2536
2536
|
*/
|
|
2537
2537
|
constructor(s) {
|
|
2538
|
-
|
|
2539
|
-
|
|
2538
|
+
d(this, "friendlyName");
|
|
2539
|
+
d(this, "factorName", "");
|
|
2540
2540
|
if (!(s != null && s.friendlyName)) throw new o(l.Configuration, "Authenticator must have a friendly name");
|
|
2541
2541
|
this.friendlyName = s == null ? void 0 : s.friendlyName;
|
|
2542
2542
|
}
|
|
@@ -2784,10 +2784,10 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
|
|
|
2784
2784
|
const i = r[0], a = r[1], n = JSON.parse(Buffer.from(i, "base64url").toString());
|
|
2785
2785
|
if (t && n.t + t * 1e3 > (/* @__PURE__ */ new Date()).getTime())
|
|
2786
2786
|
throw new o(l.Expired);
|
|
2787
|
-
const
|
|
2788
|
-
if (
|
|
2787
|
+
const h = ie(ae, e).update(i).digest("base64url");
|
|
2788
|
+
if (h.length != a.length)
|
|
2789
2789
|
throw new o(l.InvalidKey, "Signature does not match payload");
|
|
2790
|
-
if (!he(Buffer.from(
|
|
2790
|
+
if (!he(Buffer.from(h), Buffer.from(a)))
|
|
2791
2791
|
throw new o(l.InvalidKey, "Signature does not match payload");
|
|
2792
2792
|
return n;
|
|
2793
2793
|
}
|
|
@@ -2852,7 +2852,7 @@ const Ce = process.env.PBKDF2_DIGEST || "sha256", Se = Number(process.env.PBKDF2
|
|
|
2852
2852
|
return c = Buffer.concat([c, n.final()]), c.toString();
|
|
2853
2853
|
}
|
|
2854
2854
|
};
|
|
2855
|
-
|
|
2855
|
+
d(q, "Base32", "ABCDEFGHJKLMNPQRSTUVWXYZ23456789".split(""));
|
|
2856
2856
|
let v = q;
|
|
2857
2857
|
function tt(S) {
|
|
2858
2858
|
let s = [];
|
|
@@ -2874,19 +2874,19 @@ const le = class le extends be {
|
|
|
2874
2874
|
*/
|
|
2875
2875
|
constructor(e, t = {}) {
|
|
2876
2876
|
super({ friendlyName: "Local password", ...t });
|
|
2877
|
-
|
|
2877
|
+
d(this, "secret");
|
|
2878
2878
|
/** If true, the secret key will be added to the salt when hashing. Default false */
|
|
2879
|
-
|
|
2879
|
+
d(this, "enableSecretForPasswords", !1);
|
|
2880
2880
|
/** See {@link LocalPasswordAuthenticatorOptions.pbkdf2Digest} */
|
|
2881
|
-
|
|
2881
|
+
d(this, "pbkdf2Digest", "sha256");
|
|
2882
2882
|
/** See {@link LocalPasswordAuthenticatorOptions.pbkdf2Iterations} */
|
|
2883
|
-
|
|
2883
|
+
d(this, "pbkdf2Iterations", 6e5);
|
|
2884
2884
|
/** See {@link LocalPasswordAuthenticatorOptions.pbkdf2SaltLength} */
|
|
2885
|
-
|
|
2885
|
+
d(this, "pbkdf2SaltLength", 16);
|
|
2886
2886
|
/** See {@link LocalPasswordAuthenticatorOptions.pbkdf2KeyLength} */
|
|
2887
|
-
|
|
2887
|
+
d(this, "pbkdf2KeyLength", 32);
|
|
2888
2888
|
/** See {@link LocalPasswordAuthenticatorOptions.validatePasswordFn} */
|
|
2889
|
-
|
|
2889
|
+
d(this, "validatePasswordFn", tt);
|
|
2890
2890
|
m("secret", g.String, this, t, "HASHER_SECRET"), m("enableSecretForPasswordHash", g.Boolean, this, t, "ENABLE_SECRET_FOR_PASSWORDS"), m("pbkdf2Digest", g.String, this, t, "PASSWORD_PBKDF2_DIGEST"), m("pbkdf2Iterations", g.String, this, t, "PASSWORD_PBKDF2_ITERATIONS"), m("pbkdf2SaltLength", g.String, this, t, "PASSWORD_PBKDF2_SALTLENGTH"), m("pbkdf2KeyLength", g.String, this, t, "PASSWORD_PBKDF2_KEYLENGTH"), t.validatePasswordFn && (this.validatePasswordFn = t.validatePasswordFn);
|
|
2891
2891
|
}
|
|
2892
2892
|
/**
|
|
@@ -3019,7 +3019,7 @@ const le = class le extends be {
|
|
|
3019
3019
|
async reprepareConfiguration(e, t) {
|
|
3020
3020
|
}
|
|
3021
3021
|
};
|
|
3022
|
-
|
|
3022
|
+
d(le, "NoPassword", "********");
|
|
3023
3023
|
let ve = le;
|
|
3024
3024
|
class Z extends re {
|
|
3025
3025
|
/**
|
|
@@ -3029,18 +3029,18 @@ class Z extends re {
|
|
|
3029
3029
|
*/
|
|
3030
3030
|
constructor(e = {}) {
|
|
3031
3031
|
super({ friendlyName: "Email otp", ...e });
|
|
3032
|
-
|
|
3033
|
-
|
|
3034
|
-
|
|
3035
|
-
|
|
3036
|
-
|
|
3037
|
-
|
|
3038
|
-
|
|
3039
|
-
|
|
3040
|
-
|
|
3041
|
-
|
|
3042
|
-
|
|
3043
|
-
|
|
3032
|
+
d(this, "views", "views");
|
|
3033
|
+
d(this, "emailAuthenticatorTextBody", "emailauthenticationtextbody.njk");
|
|
3034
|
+
d(this, "emailAuthenticatorHtmlBody");
|
|
3035
|
+
d(this, "emailAuthenticatorSubject", "Login code");
|
|
3036
|
+
d(this, "emailFrom", "");
|
|
3037
|
+
d(this, "smtpHost", "");
|
|
3038
|
+
d(this, "smtpPort", 587);
|
|
3039
|
+
d(this, "smtpUseTls", !0);
|
|
3040
|
+
d(this, "smtpUsername");
|
|
3041
|
+
d(this, "smtpPassword");
|
|
3042
|
+
d(this, "emailAuthenticatorTokenExpires", 60 * 5);
|
|
3043
|
+
d(this, "render");
|
|
3044
3044
|
m("views", g.String, this, e, "VIEWS"), m("emailAuthenticatorTextBody", g.String, this, e, "EMAIL_AUTHENTICATOR_TEXT_BODY"), m("emailAuthenticatorHtmlBody", g.String, this, e, "EMAIL_AUTHENTICATOR_HTML_BODY"), m("emailAuthenticatorSubject", g.String, this, e, "EMAIL_AUTHENTICATOR_SUBJECT"), m("emailFrom", g.String, this, e, "EMAIL_FROM", !0), m("smtpHost", g.String, this, e, "SMTP_HOST", !0), m("smtpPort", g.Number, this, e, "SMTP_PORT"), m("smtpUsername", g.String, this, e, "SMTP_USERNAME"), m("smtpPassword", g.String, this, e, "SMTP_PASSWORD"), m("smtpUseTls", g.Boolean, this, e, "SMTP_USE_TLS"), m("emailAuthenticatorTokenExpires", g.Number, this, e, "EMAIL_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
|
|
3045
3045
|
}
|
|
3046
3046
|
/**
|
|
@@ -3098,10 +3098,10 @@ class Z extends re {
|
|
|
3098
3098
|
factor2: this.factorName,
|
|
3099
3099
|
expiry: a,
|
|
3100
3100
|
otp: t
|
|
3101
|
-
},
|
|
3101
|
+
}, h = this.sendToken(r, t);
|
|
3102
3102
|
return u.logger.info(f({
|
|
3103
3103
|
msg: "Sent factor otp email",
|
|
3104
|
-
emailMessageId:
|
|
3104
|
+
emailMessageId: h,
|
|
3105
3105
|
email: r
|
|
3106
3106
|
})), { userData: n, sessionData: c };
|
|
3107
3107
|
}
|
|
@@ -3244,11 +3244,11 @@ class Q extends re {
|
|
|
3244
3244
|
*/
|
|
3245
3245
|
constructor(e = {}) {
|
|
3246
3246
|
super({ friendlyName: "SMS otp", ...e });
|
|
3247
|
-
|
|
3248
|
-
|
|
3249
|
-
|
|
3250
|
-
|
|
3251
|
-
|
|
3247
|
+
d(this, "views", "views");
|
|
3248
|
+
d(this, "smsAuthenticatorBody", "smsauthenticationbody.njk");
|
|
3249
|
+
d(this, "smsAuthenticatorFrom", "");
|
|
3250
|
+
d(this, "smsAuthenticatorTokenExpires", 60 * 5);
|
|
3251
|
+
d(this, "render");
|
|
3252
3252
|
m("views", g.String, this, e, "VIEWS"), m("smsAuthenticatorBody", g.String, this, e, "SMS_AUTHENTICATOR_BODY"), m("smsAuthenticatorFrom", g.String, this, e, "SMS_AUTHENTICATOR_FROM", !0), m("smsAuthenticatorTokenExpires", g.Number, this, e, "SMS_AUTHENTICATOR_TOKEN_EXPIRES"), e.render ? this.render = e.render : W.configure(this.views, { autoescape: !0 });
|
|
3253
3253
|
}
|
|
3254
3254
|
/**
|
|
@@ -3288,8 +3288,8 @@ class Q extends re {
|
|
|
3288
3288
|
expiry: a,
|
|
3289
3289
|
otp: t
|
|
3290
3290
|
};
|
|
3291
|
-
let
|
|
3292
|
-
const w = this.render ? this.render(this.smsAuthenticatorBody,
|
|
3291
|
+
let h = { otp: t };
|
|
3292
|
+
const w = this.render ? this.render(this.smsAuthenticatorBody, h) : W.render(this.smsAuthenticatorBody, h), y = this.sendSms(r, w);
|
|
3293
3293
|
return u.logger.info(f({
|
|
3294
3294
|
msg: "Sent factor otp sms",
|
|
3295
3295
|
smsMessageId: y,
|
|
@@ -3442,8 +3442,8 @@ class Ue extends Q {
|
|
|
3442
3442
|
*/
|
|
3443
3443
|
constructor(e = {}) {
|
|
3444
3444
|
super(e);
|
|
3445
|
-
|
|
3446
|
-
|
|
3445
|
+
d(this, "accountSid");
|
|
3446
|
+
d(this, "authToken");
|
|
3447
3447
|
if (!process.env.TWILIO_ACCOUNT_SID || !process.env.TWILIO_AUTH_TOKEN)
|
|
3448
3448
|
throw new o(
|
|
3449
3449
|
l.Configuration,
|
|
@@ -3475,7 +3475,7 @@ class Rt extends re {
|
|
|
3475
3475
|
*/
|
|
3476
3476
|
constructor(e, t = {}) {
|
|
3477
3477
|
super({ friendlyName: "Dummy factor2", ...t });
|
|
3478
|
-
|
|
3478
|
+
d(this, "code");
|
|
3479
3479
|
this.code = e;
|
|
3480
3480
|
}
|
|
3481
3481
|
/**
|
|
@@ -3637,9 +3637,10 @@ class Dt extends be {
|
|
|
3637
3637
|
*/
|
|
3638
3638
|
constructor(e, t = {}) {
|
|
3639
3639
|
super({ friendlyName: "LDAP", ...t });
|
|
3640
|
-
|
|
3641
|
-
|
|
3642
|
-
|
|
3640
|
+
d(this, "ldapAutoCreateAccount", !1);
|
|
3641
|
+
d(this, "ldapStorage");
|
|
3642
|
+
d(this, "ldapAutoCreateFactor1", "ldap");
|
|
3643
|
+
m("ldapAutoCreateAccount", g.Boolean, this, t, "LDAP_AUTO_CREATE_ACCOUNT"), m("ldapAutoCreateFactor1", g.Boolean, this, t, "LDAP_AUTO_CREATE_FACTOR1"), this.ldapStorage = e;
|
|
3643
3644
|
}
|
|
3644
3645
|
/**
|
|
3645
3646
|
* Authenticates the user, returning a the user as a {@link User} object.
|
|
@@ -3656,9 +3657,9 @@ class Dt extends be {
|
|
|
3656
3657
|
let i;
|
|
3657
3658
|
if (this.ldapAutoCreateAccount)
|
|
3658
3659
|
try {
|
|
3659
|
-
i = (await this.ldapStorage.getUserByUsername(e.username)).user;
|
|
3660
|
+
i = (await this.ldapStorage.getUserByUsername(e.username)).user, i.factor1 = this.ldapAutoCreateFactor1;
|
|
3660
3661
|
} catch {
|
|
3661
|
-
i = await this.ldapStorage.createUser(e, r);
|
|
3662
|
+
i = await this.ldapStorage.createUser({ factor1: this.ldapAutoCreateFactor1, ...e }, r);
|
|
3662
3663
|
}
|
|
3663
3664
|
else
|
|
3664
3665
|
i = (await this.ldapStorage.getUserByUsername(e.username)).user;
|
|
@@ -3730,7 +3731,7 @@ class xt extends re {
|
|
|
3730
3731
|
*/
|
|
3731
3732
|
constructor(e, t) {
|
|
3732
3733
|
super({ friendlyName: "Google Authenticator", ...t });
|
|
3733
|
-
|
|
3734
|
+
d(this, "appName");
|
|
3734
3735
|
this.appName = e;
|
|
3735
3736
|
}
|
|
3736
3737
|
/**
|
|
@@ -3913,26 +3914,26 @@ class R {
|
|
|
3913
3914
|
* @param options see {@link TokenEmailerOptions}
|
|
3914
3915
|
*/
|
|
3915
3916
|
constructor(s, e, t = {}) {
|
|
3916
|
-
|
|
3917
|
-
|
|
3918
|
-
|
|
3919
|
-
|
|
3920
|
-
|
|
3921
|
-
|
|
3922
|
-
|
|
3923
|
-
|
|
3924
|
-
|
|
3925
|
-
|
|
3926
|
-
|
|
3927
|
-
|
|
3928
|
-
|
|
3929
|
-
|
|
3930
|
-
|
|
3931
|
-
|
|
3932
|
-
|
|
3933
|
-
|
|
3934
|
-
|
|
3935
|
-
|
|
3917
|
+
d(this, "userStorage");
|
|
3918
|
+
d(this, "keyStorage");
|
|
3919
|
+
d(this, "views", "views");
|
|
3920
|
+
d(this, "siteUrl");
|
|
3921
|
+
d(this, "prefix", "/");
|
|
3922
|
+
d(this, "emailVerificationTextBody", "emailverificationtextbody.njk");
|
|
3923
|
+
d(this, "emailVerificationHtmlBody");
|
|
3924
|
+
d(this, "emailVerificationSubject", "Please verify your email");
|
|
3925
|
+
d(this, "passwordResetTextBody", "passwordresettextbody.njk");
|
|
3926
|
+
d(this, "passwordResetHtmlBody");
|
|
3927
|
+
d(this, "passwordResetSubject", "Password reset");
|
|
3928
|
+
d(this, "emailFrom", "");
|
|
3929
|
+
d(this, "smtpHost", "");
|
|
3930
|
+
d(this, "smtpPort", 587);
|
|
3931
|
+
d(this, "smtpUseTls", !0);
|
|
3932
|
+
d(this, "smtpUsername");
|
|
3933
|
+
d(this, "smtpPassword");
|
|
3934
|
+
d(this, "verifyEmailExpires", 60 * 60 * 24);
|
|
3935
|
+
d(this, "passwordResetExpires", 60 * 60 * 24);
|
|
3936
|
+
d(this, "render");
|
|
3936
3937
|
this.userStorage = s, this.keyStorage = e, m("siteUrl", g.String, this, t, "SITE_URL", !0), m("prefix", g.String, this, t, "PREFIX"), m("views", g.String, this, t, "VIEWS"), m("emailVerificationTextBody", g.String, this, t, "EMAIL_VERIFICATION_TEXT_BODY"), m("emailVerificationHtmlBody", g.String, this, t, "EMAIL_VERIFICATION_HTML_BODY"), m("emailVerificationSubject", g.String, this, t, "EMAIL_VERIFICATION_SUBJECT"), m("passwordResetTextBody", g.String, this, t, "PASSWORD_RESET_TEXT_BODY"), m("passwordResetHtmlBody", g.String, this, t, "PASSWORD_RESET_HTML_BODY"), m("passwordResetSubject", g.String, this, t, "PASSWORD_RESET_SUBJECT"), m("emailFrom", g.String, this, t, "EMAIL_FROM", !0), m("smtpHost", g.String, this, t, "SMTP_HOST", !0), m("smtpPort", g.Number, this, t, "SMTP_PORT"), m("smtpUsername", g.String, this, t, "SMTP_USERNAME"), m("smtpPassword", g.String, this, t, "SMTP_PASSWORD"), m("smtpUseTls", g.Boolean, this, t, "SMTP_USE_TLS"), m("verifyEmailExpires", g.Boolean, this, t, "VERIFY_EMAIL_EXPIRES"), m("passwordResetExpires", g.String, this, t, "PASSWORD_RESET_EXPIRES"), t.render ? this.render = t.render : W.configure(this.views, { autoescape: !0 });
|
|
3937
3938
|
}
|
|
3938
3939
|
createEmailer() {
|
|
@@ -4166,17 +4167,17 @@ class rt {
|
|
|
4166
4167
|
constructor(s = {}) {
|
|
4167
4168
|
// header settings
|
|
4168
4169
|
/** name of the CRSF HTTP header */
|
|
4169
|
-
|
|
4170
|
+
d(this, "headerName", "X-CROSSAUTH-CSRF");
|
|
4170
4171
|
// cookie settings
|
|
4171
4172
|
/** Name of the CSRF Cookie */
|
|
4172
|
-
|
|
4173
|
-
|
|
4174
|
-
|
|
4175
|
-
|
|
4176
|
-
|
|
4177
|
-
|
|
4173
|
+
d(this, "cookieName", "CSRFTOKEN");
|
|
4174
|
+
d(this, "domain");
|
|
4175
|
+
d(this, "httpOnly", !1);
|
|
4176
|
+
d(this, "path", "/");
|
|
4177
|
+
d(this, "secure", !0);
|
|
4178
|
+
d(this, "sameSite", "lax");
|
|
4178
4179
|
// hasher settings
|
|
4179
|
-
|
|
4180
|
+
d(this, "secret", "");
|
|
4180
4181
|
m("headerName", g.String, this, s, "CSRF_HEADER_NAME"), m("cookieName", g.String, this, s, "CSRF_COOKIE_NAME"), m("domain", g.String, this, s, "CSRF_COOKIE_DOMAIN"), m("httpOnly", g.Boolean, this, s, "CSRF_COOKIE_HTTPONLY"), m("path", g.String, this, s, "CSRF_COOKIE_PATH"), m("secure", g.Boolean, this, s, "CSRF_COOKIE_SECURE"), m("sameSite", g.String, this, s, "CSRF_COOKIE_SAMESITE"), m("secret", g.String, this, s, "SECRET", !0);
|
|
4181
4182
|
}
|
|
4182
4183
|
/**
|
|
@@ -4279,26 +4280,26 @@ class D {
|
|
|
4279
4280
|
* expires option is ignored (cookies are session-only).
|
|
4280
4281
|
*/
|
|
4281
4282
|
constructor(s, e = {}) {
|
|
4282
|
-
|
|
4283
|
-
|
|
4283
|
+
d(this, "userStorage");
|
|
4284
|
+
d(this, "keyStorage");
|
|
4284
4285
|
/** This is set from input options. Number of seconds before an
|
|
4285
4286
|
* idle session will time out
|
|
4286
4287
|
*/
|
|
4287
|
-
|
|
4288
|
-
|
|
4289
|
-
|
|
4288
|
+
d(this, "idleTimeout", 0);
|
|
4289
|
+
d(this, "persist", !0);
|
|
4290
|
+
d(this, "filterFunction");
|
|
4290
4291
|
// cookie settings
|
|
4291
4292
|
/** Name of the CSRF Cookie, set from input options */
|
|
4292
|
-
|
|
4293
|
-
|
|
4293
|
+
d(this, "cookieName", "SESSIONID");
|
|
4294
|
+
d(this, "maxAge", 60 * 60 * 24 * 30);
|
|
4294
4295
|
// 30 days
|
|
4295
|
-
|
|
4296
|
-
|
|
4297
|
-
|
|
4298
|
-
|
|
4299
|
-
|
|
4296
|
+
d(this, "domain");
|
|
4297
|
+
d(this, "httpOnly", !1);
|
|
4298
|
+
d(this, "path", "/");
|
|
4299
|
+
d(this, "secure", !0);
|
|
4300
|
+
d(this, "sameSite", "lax");
|
|
4300
4301
|
// hasher settings
|
|
4301
|
-
|
|
4302
|
+
d(this, "secret", "");
|
|
4302
4303
|
e.userStorage && (this.userStorage = e.userStorage), this.keyStorage = s, m("idleTimeout", g.Number, this, e, "SESSION_IDLE_TIMEOUT"), m("persist", g.Boolean, this, e, "PERSIST_SESSION_ID"), this.filterFunction = e.filterFunction, m("cookieName", g.String, this, e, "SESSION_COOKIE_NAME"), m("maxAge", g.String, this, e, "SESSION_COOKIE_MAX_AGE"), m("domain", g.String, this, e, "SESSION_COOKIE_DOMAIN"), m("httpOnly", g.Boolean, this, e, "SESSIONCOOKIE_HTTPONLY"), m("path", g.String, this, e, "SESSION_COOKIE_PATH"), m("secure", g.Boolean, this, e, "SESSION_COOKIE_SECURE"), m("sameSite", g.String, this, e, "SESSION_COOKIE_SAMESITE"), m("secret", g.String, this, e, "SECRET", !0);
|
|
4303
4304
|
}
|
|
4304
4305
|
expiry(s) {
|
|
@@ -4336,9 +4337,9 @@ class D {
|
|
|
4336
4337
|
const a = /* @__PURE__ */ new Date();
|
|
4337
4338
|
let n = this.expiry(a), c = !1;
|
|
4338
4339
|
for (; r < 10 && !c; ) {
|
|
4339
|
-
const
|
|
4340
|
+
const h = D.hashSessionId(i);
|
|
4340
4341
|
try {
|
|
4341
|
-
this.idleTimeout > 0 && s && (e = { ...e, lastActivity: /* @__PURE__ */ new Date() }), await this.keyStorage.saveKey(s,
|
|
4342
|
+
this.idleTimeout > 0 && s && (e = { ...e, lastActivity: /* @__PURE__ */ new Date() }), await this.keyStorage.saveKey(s, h, a, n, void 0, e), c = !0;
|
|
4342
4343
|
} catch (w) {
|
|
4343
4344
|
let y = o.asCrossauthError(w);
|
|
4344
4345
|
if (y.code == l.KeyExists || y.code == l.InvalidKey) {
|
|
@@ -4466,17 +4467,17 @@ class Lt {
|
|
|
4466
4467
|
* @param options optional parameters for authentication. See {@link SessionManagerOptions }.
|
|
4467
4468
|
*/
|
|
4468
4469
|
constructor(s, e, t = {}) {
|
|
4469
|
-
|
|
4470
|
-
|
|
4471
|
-
|
|
4472
|
-
|
|
4473
|
-
|
|
4474
|
-
|
|
4470
|
+
d(this, "userStorage");
|
|
4471
|
+
d(this, "keyStorage");
|
|
4472
|
+
d(this, "emailTokenStorage");
|
|
4473
|
+
d(this, "csrfTokens");
|
|
4474
|
+
d(this, "session");
|
|
4475
|
+
d(this, "authenticators");
|
|
4475
4476
|
//readonly authenticator : UsernamePasswordAuthenticator;
|
|
4476
|
-
|
|
4477
|
-
|
|
4478
|
-
|
|
4479
|
-
|
|
4477
|
+
d(this, "enableEmailVerification", !1);
|
|
4478
|
+
d(this, "enablePasswordReset", !1);
|
|
4479
|
+
d(this, "tokenEmailer");
|
|
4480
|
+
d(this, "allowedFactor2", []);
|
|
4480
4481
|
t.userStorage && (this.userStorage = t.userStorage), this.keyStorage = s, this.authenticators = e;
|
|
4481
4482
|
for (let r in this.authenticators)
|
|
4482
4483
|
this.authenticators[r].factorName = r;
|
|
@@ -4558,7 +4559,7 @@ class Lt {
|
|
|
4558
4559
|
const p = await this.session.createSessionKey(i.id, t);
|
|
4559
4560
|
c = this.session.makeCookie(p, r);
|
|
4560
4561
|
}
|
|
4561
|
-
const
|
|
4562
|
+
const h = this.csrfTokens.createCsrfToken(), w = this.csrfTokens.makeCsrfCookie(h), y = this.csrfTokens.makeCsrfFormOrHeaderToken(h);
|
|
4562
4563
|
try {
|
|
4563
4564
|
this.emailTokenStorage.deleteAllForUser(
|
|
4564
4565
|
i.id,
|
|
@@ -4836,12 +4837,12 @@ class Lt {
|
|
|
4836
4837
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call initiateTwoFactorSignup if no user storage provided");
|
|
4837
4838
|
if (!this.authenticators[s.factor1]) throw new o(l.Configuration, "Authenticator cannot create users");
|
|
4838
4839
|
if (!this.authenticators[s.factor2]) throw new o(l.Configuration, "Two factor authentication not enabled for user");
|
|
4839
|
-
const a = await this.authenticators[s.factor2].prepareConfiguration(s), n = a == null ? {} : a.userData, c = a == null ? {} : a.sessionData,
|
|
4840
|
+
const a = await this.authenticators[s.factor2].prepareConfiguration(s), n = a == null ? {} : a.userData, c = a == null ? {} : a.sessionData, h = await this.authenticators[s.factor1].createPersistentSecrets(s.username, e, r);
|
|
4840
4841
|
return s.state = "awaitingtwofactorsetup", await this.keyStorage.updateData(
|
|
4841
4842
|
D.hashSessionId(t),
|
|
4842
4843
|
"2fa",
|
|
4843
4844
|
c
|
|
4844
|
-
), { userid: (await this.userStorage.createUser(s,
|
|
4845
|
+
), { userid: (await this.userStorage.createUser(s, h)).id, userData: n };
|
|
4845
4846
|
}
|
|
4846
4847
|
/**
|
|
4847
4848
|
* Begins the process of setting up 2FA for a user which has already been
|
|
@@ -4884,10 +4885,10 @@ class Lt {
|
|
|
4884
4885
|
*/
|
|
4885
4886
|
async repeatTwoFactorSignup(s) {
|
|
4886
4887
|
if (!this.userStorage) throw new o(l.Configuration, "Cannot call repeatTwoFactorSignup if no user storage provided");
|
|
4887
|
-
const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = D.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a),
|
|
4888
|
+
const e = (await this.dataForSessionId(s))["2fa"], t = e.username, r = e.factor2, i = D.hashSessionId(s), a = await this.keyStorage.getKey(i), c = await this.authenticators[r].reprepareConfiguration(t, a), h = c == null ? {} : c.userData, w = c == null ? {} : c.secrets, y = c == null ? {} : c.newSessionData;
|
|
4888
4889
|
y && await this.keyStorage.updateData(i, "2fa", y);
|
|
4889
4890
|
const { user: p } = await this.userStorage.getUserByUsername(t, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 });
|
|
4890
|
-
return { userid: p.id, userData:
|
|
4891
|
+
return { userid: p.id, userData: h, secrets: w };
|
|
4891
4892
|
}
|
|
4892
4893
|
/**
|
|
4893
4894
|
* Authenticates with the second factor.
|
|
@@ -4913,9 +4914,9 @@ class Lt {
|
|
|
4913
4914
|
let n = a.username;
|
|
4914
4915
|
const c = this.authenticators[a.factor2];
|
|
4915
4916
|
if (!c) throw new o(l.Configuration, "Unrecognised second factor authentication");
|
|
4916
|
-
const
|
|
4917
|
+
const h = {}, w = c.secretNames();
|
|
4917
4918
|
for (let C in a)
|
|
4918
|
-
w.includes(C) && (
|
|
4919
|
+
w.includes(C) && (h[C] = a[C]);
|
|
4919
4920
|
await c.authenticateUser(void 0, a, s), r || (t = !0, r = (await this.userStorage.getUserByUsername(n, { skipActiveCheck: !0, skipEmailVerifiedCheck: !0 })).user);
|
|
4920
4921
|
const y = c.skipEmailVerificationOnSignup() == !0;
|
|
4921
4922
|
if (!r) throw new o(l.UserNotExist, "Couldn't fetch user");
|
|
@@ -4924,7 +4925,7 @@ class Lt {
|
|
|
4924
4925
|
state: !y && this.enableEmailVerification ? "awaitingemailverification" : "active",
|
|
4925
4926
|
factor2: a.factor2
|
|
4926
4927
|
};
|
|
4927
|
-
return c.secretNames().length > 0 ? await this.userStorage.updateUser(p,
|
|
4928
|
+
return c.secretNames().length > 0 ? await this.userStorage.updateUser(p, h) : await this.userStorage.updateUser(p), !y && t && this.enableEmailVerification && this.tokenEmailer && await ((_ = this.tokenEmailer) == null ? void 0 : _.sendEmailVerificationToken(r.id, void 0)), await this.keyStorage.updateData(D.hashSessionId(i.value), "2fa", void 0), { ...r, ...p };
|
|
4928
4929
|
}
|
|
4929
4930
|
/**
|
|
4930
4931
|
* Initiates the two factor login process.
|
|
@@ -4954,13 +4955,13 @@ class Lt {
|
|
|
4954
4955
|
*/
|
|
4955
4956
|
async initiateTwoFactorPageVisit(s, e, t, r, i) {
|
|
4956
4957
|
const n = await this.authenticators[s.factor2].createOneTimeSecrets(s);
|
|
4957
|
-
let c,
|
|
4958
|
+
let c, h, w;
|
|
4958
4959
|
const y = D.hashSessionId(e);
|
|
4959
4960
|
u.logger.debug("initiateTwoFactorPageVisit " + s.username + " " + e + " " + y);
|
|
4960
4961
|
let p = { username: s.username, factor2: s.factor2, secrets: n, body: t, url: r };
|
|
4961
4962
|
return i && (p["content-type"] = i), await this.keyStorage.updateData(y, "pre2fa", p), {
|
|
4962
4963
|
sessionCookie: c,
|
|
4963
|
-
csrfCookie:
|
|
4964
|
+
csrfCookie: h,
|
|
4964
4965
|
csrfFormOrHeaderValue: w
|
|
4965
4966
|
};
|
|
4966
4967
|
}
|
|
@@ -4982,8 +4983,8 @@ class Lt {
|
|
|
4982
4983
|
const { secrets: i } = await this.userStorage.getUserByUsername(r.pre2fa.username), a = this.authenticators[r.pre2fa.factor2];
|
|
4983
4984
|
if (!a) throw new o(l.Configuration, "Unrecognised second factor authentication");
|
|
4984
4985
|
const n = {}, c = a.secretNames();
|
|
4985
|
-
for (let
|
|
4986
|
-
c.includes(
|
|
4986
|
+
for (let h in i)
|
|
4987
|
+
c.includes(h) && h in i && (n[h] = i[h]);
|
|
4987
4988
|
await a.authenticateUser(void 0, { ...n, ...r.pre2fa.secrets }, s), await this.keyStorage.updateData(D.hashSessionId(t.value), "pre2fa", void 0);
|
|
4988
4989
|
}
|
|
4989
4990
|
/**
|
|
@@ -5024,15 +5025,15 @@ class Lt {
|
|
|
5024
5025
|
let { key: i } = await this.session.getUserForSessionId(e);
|
|
5025
5026
|
if (!i || !i.data || i.data == "") throw new o(l.Unauthorized);
|
|
5026
5027
|
let a = x.decodeData(i.data)["2fa"], n = a.username, c = a.factor2;
|
|
5027
|
-
const { user:
|
|
5028
|
+
const { user: h, secrets: w } = await this.userStorage.getUserByUsername(n), y = this.authenticators[c];
|
|
5028
5029
|
if (!y) throw new o(l.Configuration, "Second factor " + c + " not enabled");
|
|
5029
|
-
await y.authenticateUser(
|
|
5030
|
-
const p = await this.session.createSessionKey(
|
|
5030
|
+
await y.authenticateUser(h, { ...w, ...a }, s);
|
|
5031
|
+
const p = await this.session.createSessionKey(h.id, t);
|
|
5031
5032
|
await this.keyStorage.deleteKey(D.hashSessionId(i.value));
|
|
5032
5033
|
const _ = this.session.makeCookie(p, r), C = this.csrfTokens.createCsrfToken(), T = this.csrfTokens.makeCsrfCookie(C), k = this.csrfTokens.makeCsrfFormOrHeaderToken(C);
|
|
5033
5034
|
try {
|
|
5034
5035
|
this.emailTokenStorage.deleteAllForUser(
|
|
5035
|
-
|
|
5036
|
+
h.id,
|
|
5036
5037
|
U.passwordResetToken
|
|
5037
5038
|
);
|
|
5038
5039
|
} catch (A) {
|
|
@@ -5042,7 +5043,7 @@ class Lt {
|
|
|
5042
5043
|
sessionCookie: _,
|
|
5043
5044
|
csrfCookie: T,
|
|
5044
5045
|
csrfFormOrHeaderValue: k,
|
|
5045
|
-
user:
|
|
5046
|
+
user: h
|
|
5046
5047
|
};
|
|
5047
5048
|
}
|
|
5048
5049
|
/**
|
|
@@ -5096,10 +5097,10 @@ class Lt {
|
|
|
5096
5097
|
let { user: a, secrets: n } = await this.userStorage.getUserByUsername(s);
|
|
5097
5098
|
const c = e == 1 ? a.factor1 : a.factor2;
|
|
5098
5099
|
i != null && await this.authenticators[c].authenticateUser(a, n, i);
|
|
5099
|
-
const
|
|
5100
|
+
const h = await this.authenticators[a.factor1].createPersistentSecrets(a.username, t, r);
|
|
5100
5101
|
await this.userStorage.updateUser(
|
|
5101
5102
|
{ id: a.id },
|
|
5102
|
-
|
|
5103
|
+
h
|
|
5103
5104
|
);
|
|
5104
5105
|
try {
|
|
5105
5106
|
this.emailTokenStorage.deleteAllForUser(
|
|
@@ -5125,8 +5126,8 @@ class Lt {
|
|
|
5125
5126
|
throw new o(l.UserNotExist, "Please specify a user id");
|
|
5126
5127
|
if (!("username" in s) || s.username == null)
|
|
5127
5128
|
throw new o(l.UserNotExist, "Please specify a userername");
|
|
5128
|
-
let { email: a, username: n, password: c, ...
|
|
5129
|
-
|
|
5129
|
+
let { email: a, username: n, password: c, ...h } = e;
|
|
5130
|
+
h.userid = s.userid;
|
|
5130
5131
|
let w = !1;
|
|
5131
5132
|
if (a)
|
|
5132
5133
|
i = a, R.validateEmail(i), w = !0;
|
|
@@ -5138,7 +5139,7 @@ class Lt {
|
|
|
5138
5139
|
}
|
|
5139
5140
|
w && R.validateEmail(i);
|
|
5140
5141
|
}
|
|
5141
|
-
return !t && this.enableEmailVerification && w ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(s.id, i)) : (a && (
|
|
5142
|
+
return !t && this.enableEmailVerification && w ? await ((y = this.tokenEmailer) == null ? void 0 : y.sendEmailVerificationToken(s.id, i)) : (a && (h.email = a), n && (h.username = n)), (e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded) && await ((p = this.tokenEmailer) == null ? void 0 : p.sendPasswordResetToken(s.id, {}, r)), await this.userStorage.updateUser(h), {
|
|
5142
5143
|
emailVerificationTokenSent: !t && this.enableEmailVerification && w,
|
|
5143
5144
|
passwordResetTokenSent: e.state == E.passwordResetNeeded || e.state == E.passwordAndFactor2ResetNeeded
|
|
5144
5145
|
};
|
|
@@ -5183,15 +5184,15 @@ class ge {
|
|
|
5183
5184
|
* @param options options. See {@link ApiKeyManagerOptions}
|
|
5184
5185
|
*/
|
|
5185
5186
|
constructor(s, e = {}) {
|
|
5186
|
-
|
|
5187
|
-
|
|
5188
|
-
|
|
5187
|
+
d(this, "apiKeyStorage");
|
|
5188
|
+
d(this, "keyLength", 16);
|
|
5189
|
+
d(this, "secret", "");
|
|
5189
5190
|
/** The prefix to add to the hashed key in storage. Defaults to
|
|
5190
5191
|
* {@link @crossauth/common!KeyPrefix}.apiKey
|
|
5191
5192
|
*/
|
|
5192
|
-
|
|
5193
|
+
d(this, "prefix", U.apiKey);
|
|
5193
5194
|
/** The name of the speak in the Authorization header. Defaults to "ApiKey" */
|
|
5194
|
-
|
|
5195
|
+
d(this, "authScheme", "ApiKey");
|
|
5195
5196
|
this.apiKeyStorage = s, m("secret", g.String, this, e, "SECRET", !0), m("keyLength", g.String, this, e, "APIKEY_LENGTH"), m("prefix", g.String, this, e, "APIKEY_PREFIX"), m("authScheme", g.String, this, e, "APIKEY_AUTHSCHEME");
|
|
5196
5197
|
}
|
|
5197
5198
|
/**
|
|
@@ -5213,7 +5214,7 @@ class ge {
|
|
|
5213
5214
|
* Authorization header (with the signature appended.)
|
|
5214
5215
|
*/
|
|
5215
5216
|
async createKey(s, e, t, r, i) {
|
|
5216
|
-
const a = v.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0,
|
|
5217
|
+
const a = v.randomValue(this.keyLength), n = /* @__PURE__ */ new Date(), c = r ? new Date(n.getTime() + r * 1e3) : void 0, h = ge.hashApiKeyValue(a), w = {
|
|
5217
5218
|
name: s,
|
|
5218
5219
|
value: a,
|
|
5219
5220
|
userid: e,
|
|
@@ -5224,7 +5225,7 @@ class ge {
|
|
|
5224
5225
|
};
|
|
5225
5226
|
await this.apiKeyStorage.saveKey(
|
|
5226
5227
|
e,
|
|
5227
|
-
this.prefix +
|
|
5228
|
+
this.prefix + h,
|
|
5228
5229
|
n,
|
|
5229
5230
|
c,
|
|
5230
5231
|
w.data,
|
|
@@ -5282,10 +5283,10 @@ class J {
|
|
|
5282
5283
|
* @param options See {@link OAuthClientManagerOptions}
|
|
5283
5284
|
*/
|
|
5284
5285
|
constructor(s = {}) {
|
|
5285
|
-
|
|
5286
|
-
|
|
5287
|
-
|
|
5288
|
-
|
|
5286
|
+
d(this, "oauthPbkdf2Digest", "sha256");
|
|
5287
|
+
d(this, "oauthPbkdf2Iterations", 4e4);
|
|
5288
|
+
d(this, "oauthPbkdf2KeyLength", 32);
|
|
5289
|
+
d(this, "clientStorage");
|
|
5289
5290
|
if (!s.clientStorage) throw new o(
|
|
5290
5291
|
l.Configuration,
|
|
5291
5292
|
"Must specify clientStorage when adding a client manager"
|
|
@@ -5315,7 +5316,7 @@ class J {
|
|
|
5315
5316
|
})), e.forEach((y) => {
|
|
5316
5317
|
J.validateUri(y);
|
|
5317
5318
|
}), t || (t = b.allFlows());
|
|
5318
|
-
const
|
|
5319
|
+
const h = {
|
|
5319
5320
|
client_id: a,
|
|
5320
5321
|
client_secret: n,
|
|
5321
5322
|
client_name: s,
|
|
@@ -5327,13 +5328,13 @@ class J {
|
|
|
5327
5328
|
let w;
|
|
5328
5329
|
for (let y = 0; y < 5; ++y)
|
|
5329
5330
|
try {
|
|
5330
|
-
w = await this.clientStorage.createClient(
|
|
5331
|
+
w = await this.clientStorage.createClient(h);
|
|
5331
5332
|
break;
|
|
5332
5333
|
} catch (p) {
|
|
5333
5334
|
if (y == 4) {
|
|
5334
5335
|
if (o.asCrossauthError(p).code != l.ClientExists) throw p;
|
|
5335
5336
|
} else
|
|
5336
|
-
|
|
5337
|
+
h.client_id = J.randomClientId();
|
|
5337
5338
|
}
|
|
5338
5339
|
if (!w) throw new o(l.ClientExists);
|
|
5339
5340
|
return w.client_secret && c && (w.client_secret = c), w;
|
|
@@ -5433,57 +5434,58 @@ class zt {
|
|
|
5433
5434
|
* @param options See {@link OAuthAuthorizationServerOptions }
|
|
5434
5435
|
*/
|
|
5435
5436
|
constructor(s, e, t, r = {}) {
|
|
5436
|
-
|
|
5437
|
-
|
|
5438
|
-
|
|
5439
|
-
|
|
5440
|
-
|
|
5437
|
+
d(this, "clientStorage");
|
|
5438
|
+
d(this, "keyStorage");
|
|
5439
|
+
d(this, "userStorage");
|
|
5440
|
+
d(this, "authenticators", {});
|
|
5441
|
+
d(this, "authStorage");
|
|
5441
5442
|
/** For validating redirect URIs. */
|
|
5442
|
-
|
|
5443
|
-
|
|
5444
|
-
|
|
5445
|
-
|
|
5446
|
-
|
|
5447
|
-
|
|
5448
|
-
|
|
5449
|
-
|
|
5450
|
-
|
|
5451
|
-
|
|
5452
|
-
|
|
5453
|
-
|
|
5454
|
-
|
|
5455
|
-
|
|
5456
|
-
|
|
5457
|
-
|
|
5458
|
-
|
|
5459
|
-
|
|
5460
|
-
|
|
5461
|
-
|
|
5462
|
-
|
|
5463
|
-
|
|
5464
|
-
|
|
5465
|
-
|
|
5466
|
-
|
|
5467
|
-
|
|
5468
|
-
|
|
5469
|
-
|
|
5470
|
-
|
|
5471
|
-
|
|
5472
|
-
|
|
5473
|
-
|
|
5443
|
+
d(this, "clientManager");
|
|
5444
|
+
d(this, "oauthIssuer", "");
|
|
5445
|
+
d(this, "audience", null);
|
|
5446
|
+
d(this, "requireRedirectUriRegistration", !0);
|
|
5447
|
+
d(this, "requireClientSecretOrChallenge", !0);
|
|
5448
|
+
d(this, "jwtAlgorithm", "RS256");
|
|
5449
|
+
d(this, "jwtAlgorithmChecked", "RS256");
|
|
5450
|
+
d(this, "codeLength", 32);
|
|
5451
|
+
d(this, "jwtKeyType", "");
|
|
5452
|
+
d(this, "jwtSecretKey", "");
|
|
5453
|
+
d(this, "jwtPublicKey", "");
|
|
5454
|
+
d(this, "jwtPrivateKey", "");
|
|
5455
|
+
d(this, "jwtSecretKeyFile", "");
|
|
5456
|
+
d(this, "jwtPublicKeyFile", "");
|
|
5457
|
+
d(this, "jwtPrivateKeyFile", "");
|
|
5458
|
+
d(this, "jwtKid", "1");
|
|
5459
|
+
d(this, "secretOrPrivateKey", "");
|
|
5460
|
+
d(this, "secretOrPublicKey", "");
|
|
5461
|
+
d(this, "persistAccessToken", !1);
|
|
5462
|
+
d(this, "issueRefreshToken", !1);
|
|
5463
|
+
d(this, "opaqueAccessToken", !1);
|
|
5464
|
+
d(this, "accessTokenExpiry", 60 * 60);
|
|
5465
|
+
d(this, "refreshTokenExpiry", 60 * 60);
|
|
5466
|
+
d(this, "rollingRefreshToken", !0);
|
|
5467
|
+
d(this, "authorizationCodeExpiry", 60 * 5);
|
|
5468
|
+
d(this, "mfaTokenExpiry", 60 * 5);
|
|
5469
|
+
d(this, "clockTolerance", 10);
|
|
5470
|
+
d(this, "emptyScopeIsValid", !0);
|
|
5471
|
+
d(this, "validateScopes", !1);
|
|
5472
|
+
d(this, "validScopes", []);
|
|
5473
|
+
d(this, "idTokenClaims", {});
|
|
5474
|
+
d(this, "accessTokenClaims", {});
|
|
5474
5475
|
// device code
|
|
5475
|
-
|
|
5476
|
-
|
|
5477
|
-
|
|
5478
|
-
|
|
5479
|
-
|
|
5480
|
-
|
|
5481
|
-
|
|
5476
|
+
d(this, "userCodeExpiry", 60 * 5);
|
|
5477
|
+
d(this, "userCodeThrottle", 1500);
|
|
5478
|
+
d(this, "deviceCodePollInterval", 5);
|
|
5479
|
+
d(this, "userCodeLength", 8);
|
|
5480
|
+
d(this, "deviceCodeLength", 16);
|
|
5481
|
+
d(this, "userCodeDashEvery", 4);
|
|
5482
|
+
d(this, "deviceCodeVerificationUri", "");
|
|
5483
|
+
d(this, "authServerBaseUrl", "");
|
|
5482
5484
|
/** Set from options. See {@link OAuthAuthorizationServerOptions.validFlows} */
|
|
5483
|
-
|
|
5485
|
+
d(this, "validFlows", ["all"]);
|
|
5484
5486
|
/** Set from options. See {@link OAuthAuthorizationServerOptions.allowedFactor2} */
|
|
5485
|
-
|
|
5486
|
-
this.clientStorage = s, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: s, ...r }), m("
|
|
5487
|
+
d(this, "allowedFactor2", []);
|
|
5488
|
+
this.clientStorage = s, this.keyStorage = e, this.userStorage = r.userStorage, this.authStorage = r.authStorage, t && (this.authenticators = t), this.clientManager = new J({ clientStorage: s, ...r }), m("authServerBaseUrl", g.String, this, r, "AUTH_SERVER_BASE_URL", !0), m("oauthIssuer", g.String, this, r, "OAUTH_ISSUER"), this.oauthIssuer || (this.oauthIssuer = this.authServerBaseUrl), m("audience", g.String, this, r, "OAUTH_AUDIENCE"), m("oauthPbkdf2Iterations", g.String, this, r, "OAUTH_PBKDF2_ITERATIONS"), m("requireClientSecretOrChallenge", g.Boolean, this, r, "OAUTH_REQUIRE_CLIENT_SECRET_OR_CHALLENGE"), m("jwtAlgorithm", g.String, this, r, "JWT_ALGORITHM"), m("codeLength", g.Number, this, r, "OAUTH_CODE_LENGTH"), m("jwtKeyType", g.String, this, r, "JWT_KEY_TYPE"), m("jwtSecretKeyFile", g.String, this, r, "JWT_SECRET_KEY_FILE"), m("jwtPublicKeyFile", g.String, this, r, "JWT_PUBLIC_KEY_FILE"), m("jwtPrivateKeyFile", g.String, this, r, "JWT_PRIVATE_KEY_FILE"), m("jwtSecretKey", g.String, this, r, "JWT_SECRET_KEY"), m("jwtPublicKey", g.String, this, r, "JWT_PUBLIC_KEY"), m("jwtPrivateKey", g.String, this, r, "JWT_PRIVATE_KEY"), m("jwtKid", g.String, this, r, "JWT_KID"), m("persistAccessToken", g.String, this, r, "OAUTH_PERSIST_ACCESS_TOKEN"), m("issueRefreshToken", g.String, this, r, "OAUTH_ISSUE_REFRESH_TOKEN"), m("opaqueAccessToken", g.String, this, r, "OAUTH_OPAQUE_ACCESS_TOKEN"), m("accessTokenExpiry", g.Number, this, r, "OAUTH_ACCESS_TOKEN_EXPIRY"), m("refreshTokenExpiry", g.Number, this, r, "OAUTH_REFRESH_TOKEN_EXPIRY"), m("rollingRefreshToken", g.Boolean, this, r, "OAUTH_ROLLING_REFRESH_TOKEN"), m("authorizationCodeExpiry", g.Number, this, r, "OAUTH_AUTHORIZATION_CODE_EXPIRY"), m("mfaTokenExpiry", g.Number, this, r, "OAUTH_MFA_TOKEN_EXPIRY"), m("clockTolerance", g.Number, this, r, "OAUTH_CLOCK_TOLERANCE"), m("validateScopes", g.Boolean, this, r, "OAUTH_VALIDATE_SCOPES"), m("emptyScopeIsValid", g.Boolean, this, r, "OAUTH_EMPTY_SCOPE_VALID"), m("validScopes", g.JsonArray, this, r, "OAUTH_VALID_SCOPES"), m("validFlows", g.JsonArray, this, r, "OAUTH_validFlows"), m("idTokenClaims", g.Json, this, r, "OAUTH_ID_TOKEN_CLAIMS"), m("accessTokenClaims", g.Json, this, r, "OAUTH_ACCESS_TOKEN_CLAIMS"), m("allowedFactor2", g.JsonArray, this, r, "ALLOWED_FACTOR2"), m("userCodeExpiry", g.Number, this, r, "DEVICECODE_USERCODE_EXPIRY"), m("userCodeThrottle", g.Number, this, r, "DEVICECODE_USERCODE_THROTTLE"), m("deviceCodePollInterval", g.Number, this, r, "DEVICECODE_POLL_INTERVAL"), m("deviceCodeLength", g.Number, this, r, "DEVICECODE_LENGTH"), m("userCodeLength", g.Number, this, r, "DEVICECODE_USERCODE_LENGTH");
|
|
5487
5489
|
let i = {};
|
|
5488
5490
|
if (m("userCodeDashEvery", g.String, i, r, "DEVICECODE_USERCODE_DASH_EVERY"), i.userCodeDashEvery)
|
|
5489
5491
|
if (i.userCodeDashEvery == "" || i.userCodeDashEvery.toLowerCase() == "null") this.userCodeDashEvery = null;
|
|
@@ -5753,7 +5755,7 @@ class zt {
|
|
|
5753
5755
|
codeVerifier: a,
|
|
5754
5756
|
refreshToken: n,
|
|
5755
5757
|
username: c,
|
|
5756
|
-
password:
|
|
5758
|
+
password: h,
|
|
5757
5759
|
mfaToken: w,
|
|
5758
5760
|
oobCode: y,
|
|
5759
5761
|
bindingCode: p,
|
|
@@ -5859,7 +5861,7 @@ class zt {
|
|
|
5859
5861
|
issueRefreshToken: H
|
|
5860
5862
|
});
|
|
5861
5863
|
} else if (s == "password") {
|
|
5862
|
-
if (!c || !
|
|
5864
|
+
if (!c || !h)
|
|
5863
5865
|
return {
|
|
5864
5866
|
error: "access_denied",
|
|
5865
5867
|
error_description: "Username and/or password not provided for password flow"
|
|
@@ -5879,7 +5881,7 @@ class zt {
|
|
|
5879
5881
|
await B.authenticateUser(
|
|
5880
5882
|
I,
|
|
5881
5883
|
$,
|
|
5882
|
-
{ password:
|
|
5884
|
+
{ password: h }
|
|
5883
5885
|
), K = I;
|
|
5884
5886
|
} catch (I) {
|
|
5885
5887
|
return u.logger.debug(f({ err: I })), {
|
|
@@ -6156,9 +6158,9 @@ class zt {
|
|
|
6156
6158
|
error_description: k
|
|
6157
6159
|
};
|
|
6158
6160
|
}
|
|
6159
|
-
let c,
|
|
6161
|
+
let c, h = !1;
|
|
6160
6162
|
const w = /* @__PURE__ */ new Date(), y = this.userCodeExpiry, p = new Date(w.getTime() + this.userCodeExpiry * 1e3 + this.clockTolerance * 1e3);
|
|
6161
|
-
for (let T = 0; T < 10 && !
|
|
6163
|
+
for (let T = 0; T < 10 && !h; ++T)
|
|
6162
6164
|
try {
|
|
6163
6165
|
c = v.randomValue(this.deviceCodeLength), await this.keyStorage.saveKey(
|
|
6164
6166
|
void 0,
|
|
@@ -6166,18 +6168,18 @@ class zt {
|
|
|
6166
6168
|
w,
|
|
6167
6169
|
p,
|
|
6168
6170
|
JSON.stringify({ scope: e, client_id: s })
|
|
6169
|
-
),
|
|
6171
|
+
), h = !0;
|
|
6170
6172
|
} catch {
|
|
6171
6173
|
u.logger.debug(f({ msg: `Attempt number${T} at creating a unique authozation code failed` }));
|
|
6172
6174
|
}
|
|
6173
|
-
if (!
|
|
6175
|
+
if (!h || !c)
|
|
6174
6176
|
return {
|
|
6175
6177
|
error: "server_error",
|
|
6176
6178
|
error_description: "Couldn't create device code"
|
|
6177
6179
|
};
|
|
6178
6180
|
let _;
|
|
6179
|
-
|
|
6180
|
-
for (let T = 0; T < 10 && !
|
|
6181
|
+
h = !1;
|
|
6182
|
+
for (let T = 0; T < 10 && !h; ++T)
|
|
6181
6183
|
try {
|
|
6182
6184
|
_ = v.randomBase32(this.userCodeLength), await this.keyStorage.saveKey(
|
|
6183
6185
|
void 0,
|
|
@@ -6185,11 +6187,11 @@ class zt {
|
|
|
6185
6187
|
w,
|
|
6186
6188
|
p,
|
|
6187
6189
|
JSON.stringify({ deviceCode: c })
|
|
6188
|
-
),
|
|
6190
|
+
), h = !0;
|
|
6189
6191
|
} catch {
|
|
6190
6192
|
u.logger.debug(f({ msg: `Attempt number${T} at creating a unique authozation code failed` }));
|
|
6191
6193
|
}
|
|
6192
|
-
if (!
|
|
6194
|
+
if (!h || !_)
|
|
6193
6195
|
return await this.deleteDeviceCode(c), {
|
|
6194
6196
|
error: "server_error",
|
|
6195
6197
|
error_description: "Couldn't create device code"
|
|
@@ -6282,19 +6284,19 @@ class zt {
|
|
|
6282
6284
|
error_description: "User code has already been used",
|
|
6283
6285
|
client_id: n
|
|
6284
6286
|
};
|
|
6285
|
-
let
|
|
6287
|
+
let h = !1;
|
|
6286
6288
|
if (u.logger.debug(f({
|
|
6287
6289
|
msg: "Checking scopes have been authorized",
|
|
6288
6290
|
scope: a
|
|
6289
|
-
})), a ?
|
|
6291
|
+
})), a ? h = await this.hasAllScopes(
|
|
6290
6292
|
n,
|
|
6291
6293
|
e,
|
|
6292
6294
|
a.split(" ")
|
|
6293
|
-
) :
|
|
6295
|
+
) : h = await this.hasAllScopes(
|
|
6294
6296
|
n,
|
|
6295
6297
|
e,
|
|
6296
6298
|
[null]
|
|
6297
|
-
), !
|
|
6299
|
+
), !h) {
|
|
6298
6300
|
try {
|
|
6299
6301
|
e != null && e.id && await this.keyStorage.updateData(U.deviceCode + r.deviceCode, "userid", e.id);
|
|
6300
6302
|
} catch (y) {
|
|
@@ -6507,8 +6509,8 @@ class zt {
|
|
|
6507
6509
|
async mfaChallengeEndpoint(s, e, t, r, i) {
|
|
6508
6510
|
const a = b.PasswordMfa, n = await this.getClientById(e);
|
|
6509
6511
|
if (!n.client) return n;
|
|
6510
|
-
const c = n.client,
|
|
6511
|
-
if (
|
|
6512
|
+
const c = n.client, h = await this.authenticateClient(a, c, t);
|
|
6513
|
+
if (h.error) return h;
|
|
6512
6514
|
const w = await this.validateMfaToken(s);
|
|
6513
6515
|
if (!w.user || !w.key) return w;
|
|
6514
6516
|
if (w.user.factor2 != i)
|
|
@@ -6601,7 +6603,7 @@ class zt {
|
|
|
6601
6603
|
error: "invalid_request",
|
|
6602
6604
|
error_description: `The redirect uri ${e} is invalid`
|
|
6603
6605
|
};
|
|
6604
|
-
const
|
|
6606
|
+
const h = /* @__PURE__ */ new Date(), w = this.authorizationCodeExpiry ? new Date(h.getTime() + this.authorizationCodeExpiry * 1e3 + this.clockTolerance * 1e3) : void 0, y = {};
|
|
6605
6607
|
t && (y.scope = t), i && (y.challengeMethod = a, y.challenge = v.hash(i)), n && (y.username = n.username, y.id = n.id);
|
|
6606
6608
|
const p = JSON.stringify(y);
|
|
6607
6609
|
let _ = !1, C = "";
|
|
@@ -6610,7 +6612,7 @@ class zt {
|
|
|
6610
6612
|
C = v.randomValue(this.codeLength), await this.keyStorage.saveKey(
|
|
6611
6613
|
void 0,
|
|
6612
6614
|
U.authorizationCode + v.hash(C),
|
|
6613
|
-
|
|
6615
|
+
h,
|
|
6614
6616
|
w,
|
|
6615
6617
|
p
|
|
6616
6618
|
), _ = !0;
|
|
@@ -6650,11 +6652,11 @@ class zt {
|
|
|
6650
6652
|
error: "access_denied",
|
|
6651
6653
|
error_description: "Invalid client secret"
|
|
6652
6654
|
};
|
|
6653
|
-
let
|
|
6655
|
+
let h = {};
|
|
6654
6656
|
if (e) {
|
|
6655
6657
|
let K;
|
|
6656
6658
|
try {
|
|
6657
|
-
K = await this.keyStorage.getKey(U.authorizationCode + v.hash(e)),
|
|
6659
|
+
K = await this.keyStorage.getKey(U.authorizationCode + v.hash(e)), h = x.decodeData(K.data);
|
|
6658
6660
|
} catch (O) {
|
|
6659
6661
|
return u.logger.debug(f({ err: O })), {
|
|
6660
6662
|
error: "access_denied",
|
|
@@ -6670,16 +6672,16 @@ class zt {
|
|
|
6670
6672
|
client_id: s == null ? void 0 : s.client_id
|
|
6671
6673
|
}));
|
|
6672
6674
|
}
|
|
6673
|
-
i =
|
|
6675
|
+
i = h.scope;
|
|
6674
6676
|
}
|
|
6675
|
-
if (n && (
|
|
6677
|
+
if (n && (h.username = n.username), h.challengeMethod && !h.challenge && h.challengeMethod != "plain" && h.challengeMethod != "S256")
|
|
6676
6678
|
return {
|
|
6677
6679
|
error: "access_denied",
|
|
6678
6680
|
error_description: "Invalid code challenge/code challenge method method for authorization code"
|
|
6679
6681
|
};
|
|
6680
|
-
if (
|
|
6681
|
-
const K =
|
|
6682
|
-
if (v.hash(K) !=
|
|
6682
|
+
if (h.challenge) {
|
|
6683
|
+
const K = h.challengeMethod == "plain" ? r ?? "" : v.sha256(r ?? "");
|
|
6684
|
+
if (v.hash(K) != h.challenge)
|
|
6683
6685
|
return {
|
|
6684
6686
|
error: "access_denied",
|
|
6685
6687
|
error_description: "Code verifier is incorrect"
|
|
@@ -6687,9 +6689,9 @@ class zt {
|
|
|
6687
6689
|
}
|
|
6688
6690
|
const w = /* @__PURE__ */ new Date(), y = Math.ceil(w.getTime() / 1e3);
|
|
6689
6691
|
let p;
|
|
6690
|
-
if ((i && i.includes("openid") || Object.keys(this.accessTokenClaims).length > 0) && this.userStorage &&
|
|
6692
|
+
if ((i && i.includes("openid") || Object.keys(this.accessTokenClaims).length > 0) && this.userStorage && h.username)
|
|
6691
6693
|
try {
|
|
6692
|
-
const { user: K } = await this.userStorage.getUserByUsername(
|
|
6694
|
+
const { user: K } = await this.userStorage.getUserByUsername(h.username);
|
|
6693
6695
|
n = K;
|
|
6694
6696
|
} catch (K) {
|
|
6695
6697
|
return u.logger.error(f({ err: K })), {
|
|
@@ -6702,7 +6704,7 @@ class zt {
|
|
|
6702
6704
|
jti: _,
|
|
6703
6705
|
iat: y,
|
|
6704
6706
|
iss: this.oauthIssuer,
|
|
6705
|
-
sub:
|
|
6707
|
+
sub: h.username,
|
|
6706
6708
|
type: "access"
|
|
6707
6709
|
};
|
|
6708
6710
|
C = this.addClaims(C, this.accessTokenClaims, i, n), i && (C.scope = i), this.accessTokenExpiry != null && (C.exp = y + this.accessTokenExpiry, p = new Date(w.getTime() + this.accessTokenExpiry * 1e3 + this.clockTolerance * 1e3)), this.audience && (C.aud = this.audience);
|
|
@@ -6734,7 +6736,7 @@ class zt {
|
|
|
6734
6736
|
jti: K,
|
|
6735
6737
|
iat: y,
|
|
6736
6738
|
iss: this.oauthIssuer,
|
|
6737
|
-
sub:
|
|
6739
|
+
sub: h.username,
|
|
6738
6740
|
type: "id"
|
|
6739
6741
|
};
|
|
6740
6742
|
if (i.includes("email") && (n != null && n.email) && (O.email = n.email), i.includes("address") && n && "address" in n && (O.address = n.address), i.includes("phone") && n && "phone" in n && (O.phone = n.phone), i.includes("profile") && n)
|
|
@@ -6775,7 +6777,7 @@ class zt {
|
|
|
6775
6777
|
let A;
|
|
6776
6778
|
if (a) {
|
|
6777
6779
|
const K = {
|
|
6778
|
-
username:
|
|
6780
|
+
username: h.username,
|
|
6779
6781
|
client_id: s.client_id
|
|
6780
6782
|
};
|
|
6781
6783
|
i && (K.scope = i);
|
|
@@ -6784,7 +6786,7 @@ class zt {
|
|
|
6784
6786
|
jti: v.uuid(),
|
|
6785
6787
|
iat: y,
|
|
6786
6788
|
iss: this.oauthIssuer,
|
|
6787
|
-
sub:
|
|
6789
|
+
sub: h.username,
|
|
6788
6790
|
type: "refresh"
|
|
6789
6791
|
};
|
|
6790
6792
|
this.refreshTokenExpiry != null && (j.exp = y + this.refreshTokenExpiry, O = this.refreshTokenExpiry ? new Date(y + this.refreshTokenExpiry * 1e3 + this.clockTolerance * 1e3) : void 0), this.oauthIssuer && (j.aud = this.oauthIssuer), A = await new Promise((N, P) => {
|
|
@@ -7127,15 +7129,15 @@ class nt extends Pe {
|
|
|
7127
7129
|
/**
|
|
7128
7130
|
* Value passed to the constructor. The `aud` claim must match it
|
|
7129
7131
|
*/
|
|
7130
|
-
|
|
7132
|
+
d(this, "audience");
|
|
7131
7133
|
/**
|
|
7132
7134
|
* Value passed to the constructor. If true, access tokens are saved
|
|
7133
7135
|
* in storage,
|
|
7134
7136
|
*/
|
|
7135
|
-
|
|
7136
|
-
|
|
7137
|
-
|
|
7138
|
-
|
|
7137
|
+
d(this, "persistAccessToken", !1);
|
|
7138
|
+
d(this, "keyStorage");
|
|
7139
|
+
d(this, "jwtSecretKeyFile", "");
|
|
7140
|
+
d(this, "jwtPublicKeyFile", "");
|
|
7139
7141
|
if (this.audience = e, m("authServerBaseUrl", g.String, this, t, "AUTH_SERVER_BASE_URL", !0), m("jwtSecretKeyFile", g.String, this, t, "JWT_SECRET_KEY_FILE"), m("jwtPublicKeyFile", g.String, this, t, "JWT_PUBLIC_KEY_FILE"), m("jwtSecretKey", g.String, this, t, "JWT_SECRET_KEY"), m("jwtPublicKey", g.String, this, t, "JWT_PUBLIC_KEY"), m("clockTolerance", g.Number, this, t, "OAUTH_CLOCK_TOLERANCE"), m("persistAccessToken", g.Boolean, this, t, "OAUTH_PERSIST_ACCESS_TOKEN"), this.keyStorage = t.keyStorage, this.jwtSecretKey || this.jwtSecretKeyFile) {
|
|
7140
7142
|
if (this.jwtPublicKey || this.jwtPublicKeyFile)
|
|
7141
7143
|
throw new o(
|
|
@@ -7225,15 +7227,15 @@ class Ht extends Ke {
|
|
|
7225
7227
|
),
|
|
7226
7228
|
...t
|
|
7227
7229
|
});
|
|
7228
|
-
|
|
7229
|
-
|
|
7230
|
-
|
|
7231
|
-
|
|
7232
|
-
|
|
7233
|
-
|
|
7230
|
+
d(this, "deviceAuthorizationUrl", "device_authorization");
|
|
7231
|
+
d(this, "userCreationType", "idToken");
|
|
7232
|
+
d(this, "userMatchField", "username");
|
|
7233
|
+
d(this, "idTokenMatchField", "sub");
|
|
7234
|
+
d(this, "userCreationFn");
|
|
7235
|
+
d(this, "userStorage");
|
|
7234
7236
|
this.client_id = r.client_id;
|
|
7235
7237
|
let i = {};
|
|
7236
|
-
if (m("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), m("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), m("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), m("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), m("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), m("oauthLogFetch", g.Boolean, this, t, "OAUTH_LOG_FETCH"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), m("userCreationType", g.String, this, t, "OAUTH_USER_CREATION_TYPE"), m("userMatchField", g.String, this, t, "OAUTH_USER_MATCH_FIELD"), m("idTokenMatchField", g.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = ot : this.userCreationType == "embed" ? this.userCreationFn = lt : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = ct, t.userStorage && (this.userStorage = t.userStorage), m("oauthPostType", g.String, this, t, "OAUTH_POST_TYPE"), m("oauthUseUserInfoEndpoint", g.Boolean, this, t, "OAUTH_USE_USER_INFO_ENDPOINT"), this.oauthPostType != "json" && this.oauthPostType != "form")
|
|
7238
|
+
if (m("stateLength", g.String, this, t, "OAUTH_STATE_LENGTH"), m("verifierLength", g.String, this, t, "OAUTH_VERIFIER_LENGTH"), m("client_secret", g.String, i, t, "OAUTH_CLIENT_SECRET"), m("codeChallengeMethod", g.String, this, t, "OAUTH_CODE_CHALLENGE_METHOD"), m("deviceAuthorizationUrl", g.String, this, t, "OAUTH_DEVICE_AUTHORIZATION_URL"), m("oauthLogFetch", g.Boolean, this, t, "OAUTH_LOG_FETCH"), this.deviceAuthorizationUrl.startsWith("/") && (this.deviceAuthorizationUrl = this.deviceAuthorizationUrl.substring(1)), i.client_secret && (this.client_secret = i.client_secret), m("userCreationType", g.String, this, t, "OAUTH_USER_CREATION_TYPE"), m("userMatchField", g.String, this, t, "OAUTH_USER_MATCH_FIELD"), m("idTokenMatchField", g.String, this, t, "OAUTH_IDTOKEN_MaTCH_FIELD"), this.userCreationType == "merge" ? this.userCreationFn = ot : this.userCreationType == "embed" ? this.userCreationFn = lt : t.userCreationFn && this.userCreationType == "custom" ? this.userCreationFn = t.userCreationFn : this.userCreationFn = ct, t.userStorage && (this.userStorage = t.userStorage), m("oauthPostType", g.String, this, t, "OAUTH_POST_TYPE"), m("oauthUseUserInfoEndpoint", g.Boolean, this, t, "OAUTH_USE_USER_INFO_ENDPOINT"), m("oauthAuthorizeRedirect", g.String, this, t, "OAUTH_AUTHORIZE_REDIRECT"), this.oauthPostType != "json" && this.oauthPostType != "form")
|
|
7237
7239
|
throw new o(l.Configuration, "oauthPostType must be json or form");
|
|
7238
7240
|
}
|
|
7239
7241
|
/**
|
|
@@ -7298,7 +7300,7 @@ class jt {
|
|
|
7298
7300
|
* Keyed on auth server base URL then audience. The latter may be ""
|
|
7299
7301
|
* for none
|
|
7300
7302
|
*/
|
|
7301
|
-
|
|
7303
|
+
d(this, "tokenConsumers");
|
|
7302
7304
|
this.tokenConsumers = [...s];
|
|
7303
7305
|
}
|
|
7304
7306
|
/**
|